From da9ecdf0cac7807876e6ba82fe91694788851c93 Mon Sep 17 00:00:00 2001 From: Dorian Date: Wed, 1 Apr 2026 20:35:41 +0100 Subject: [PATCH] fix: UI sidecar containers need --user 0:0 and CHOWN caps for rootless podman The backend's post-install hooks create archy-bitcoin-ui, archy-lnd-ui, archy-electrs-ui containers but with only NET_BIND_SERVICE cap. Nginx inside these containers crashes on chown in rootless podman. Added --user=0:0, CHOWN, DAC_OVERRIDE, SETUID, SETGID caps to match the first-boot-containers.sh pattern. Also fixed manifest publish Python error (git log fails in rsync'd workspace with no .git). Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitea/workflows/build-iso-dev.yml | 14 ++++---------- core/archipelago/src/api/rpc/package/install.rs | 9 ++++++++- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/build-iso-dev.yml b/.gitea/workflows/build-iso-dev.yml index ce7bbb80..1b75258e 100644 --- a/.gitea/workflows/build-iso-dev.yml +++ b/.gitea/workflows/build-iso-dev.yml @@ -198,19 +198,13 @@ jobs: HOST=$(hostname -I 2>/dev/null | awk '{print $1}') BASE_URL="http://${HOST:-192.168.1.228}:8083/Builds/releases/v${VERSION}" - # Get changelog from recent commits - CHANGELOG=$(git log --oneline -10 --format='%s' | python3 -c " - import sys, json - lines = [l.strip() for l in sys.stdin if l.strip()] - print(json.dumps(lines[:10])) - " 2>/dev/null || echo '["Update to version '"$VERSION"'"]') - + # Generate manifest JSON python3 -c " import json manifest = { 'version': '$VERSION', 'release_date': '$DATE', - 'changelog': $CHANGELOG, + 'changelog': ['Update to version $VERSION'], 'components': [] } if '$BACKEND_HASH': @@ -220,7 +214,7 @@ jobs: 'new_version': '$VERSION', 'download_url': '$BASE_URL/archipelago', 'sha256': '$BACKEND_HASH', - 'size_bytes': $BACKEND_SIZE + 'size_bytes': int('$BACKEND_SIZE' or '0') }) if '$FRONTEND_HASH': manifest['components'].append({ @@ -229,7 +223,7 @@ jobs: 'new_version': '$VERSION', 'download_url': '$BASE_URL/$FRONTEND_NAME', 'sha256': '$FRONTEND_HASH', - 'size_bytes': $FRONTEND_SIZE + 'size_bytes': int('$FRONTEND_SIZE' or '0') }) print(json.dumps(manifest, indent=2)) " | sudo tee "$RELEASE_DIR/manifest.json" > /dev/null diff --git a/core/archipelago/src/api/rpc/package/install.rs b/core/archipelago/src/api/rpc/package/install.rs index a7fafeb7..5898ef49 100644 --- a/core/archipelago/src/api/rpc/package/install.rs +++ b/core/archipelago/src/api/rpc/package/install.rs @@ -872,15 +872,22 @@ autopilot.active=false\n", }; // Run with --network=host (UIs proxy to localhost backend/bitcoin) + // --user 0:0: run as root inside container (still unprivileged on host + // in rootless podman) to avoid nginx chown failures let run = tokio::process::Command::new("podman") .args([ "run", "-d", "--name", &name, "--restart=unless-stopped", "--network=host", + "--user=0:0", "--cap-drop=ALL", + "--cap-add=CHOWN", + "--cap-add=DAC_OVERRIDE", "--cap-add=NET_BIND_SERVICE", - "--memory=64m", + "--cap-add=SETUID", + "--cap-add=SETGID", + "--memory=128m", &image, ]) .output()