lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity

fix: UI sidecar containers need --user 0:0 and CHOWN caps for rootless podman

Browse Source 
The backend's post-install hooks create archy-bitcoin-ui, archy-lnd-ui,
archy-electrs-ui containers but with only NET_BIND_SERVICE cap. Nginx
inside these containers crashes on chown in rootless podman.

Added --user=0:0, CHOWN, DAC_OVERRIDE, SETUID, SETGID caps to match
the first-boot-containers.sh pattern. Also fixed manifest publish
Python error (git log fails in rsync'd workspace with no .git).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian 2026-04-01 20:35:41 +01:00
parent 8edb4ab4d1
commit da9ecdf0ca
2 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/build-iso-dev.yml
View File

@ -198,19 +198,13 @@ jobs:
HOST=$(hostname -I 2>/dev/null | awk '{print $1}') HOST=$(hostname -I 2>/dev/null | awk '{print $1}')
BASE_URL="http://${HOST:-192.168.1.228}:8083/Builds/releases/v${VERSION}" BASE_URL="http://${HOST:-192.168.1.228}:8083/Builds/releases/v${VERSION}"
# Get changelog from recent commits # Generate manifest JSON
CHANGELOG=$(git log --oneline -10 --format='%s' | python3 -c "
import sys, json
lines = [l.strip() for l in sys.stdin if l.strip()]
print(json.dumps(lines[:10]))
" 2>/dev/null || echo '["Update to version '"$VERSION"'"]')
python3 -c " python3 -c "
import json import json
manifest = { manifest = {
'version': '$VERSION', 'version': '$VERSION',
'release_date': '$DATE', 'release_date': '$DATE',
'changelog': $CHANGELOG, 'changelog': ['Update to version $VERSION'],
'components': [] 'components': []
} }
if '$BACKEND_HASH': if '$BACKEND_HASH':
@ -220,7 +214,7 @@ jobs:
'new_version': '$VERSION', 'new_version': '$VERSION',
'download_url': '$BASE_URL/archipelago', 'download_url': '$BASE_URL/archipelago',
'sha256': '$BACKEND_HASH', 'sha256': '$BACKEND_HASH',
'size_bytes': $BACKEND_SIZE 'size_bytes': int('$BACKEND_SIZE' or '0')
}) })
if '$FRONTEND_HASH': if '$FRONTEND_HASH':
manifest['components'].append({ manifest['components'].append({
@ -229,7 +223,7 @@ jobs:
'new_version': '$VERSION', 'new_version': '$VERSION',
'download_url': '$BASE_URL/$FRONTEND_NAME', 'download_url': '$BASE_URL/$FRONTEND_NAME',
'sha256': '$FRONTEND_HASH', 'sha256': '$FRONTEND_HASH',
'size_bytes': $FRONTEND_SIZE 'size_bytes': int('$FRONTEND_SIZE' or '0')
}) })
print(json.dumps(manifest, indent=2)) print(json.dumps(manifest, indent=2))
" | sudo tee "$RELEASE_DIR/manifest.json" > /dev/null " | sudo tee "$RELEASE_DIR/manifest.json" > /dev/null

9
core/archipelago/src/api/rpc/package/install.rs
View File

@ -872,15 +872,22 @@ autopilot.active=false\n",
}; };
// Run with --network=host (UIs proxy to localhost backend/bitcoin) // Run with --network=host (UIs proxy to localhost backend/bitcoin)
// --user 0:0: run as root inside container (still unprivileged on host
// in rootless podman) to avoid nginx chown failures
let run = tokio::process::Command::new("podman") let run = tokio::process::Command::new("podman")
.args([ .args([
"run", "-d", "run", "-d",
"--name", &name, "--name", &name,
"--restart=unless-stopped", "--restart=unless-stopped",
"--network=host", "--network=host",
"--user=0:0",
"--cap-drop=ALL", "--cap-drop=ALL",
"--cap-add=CHOWN",
"--cap-add=DAC_OVERRIDE",
"--cap-add=NET_BIND_SERVICE", "--cap-add=NET_BIND_SERVICE",
"--memory=64m", "--cap-add=SETUID",
"--cap-add=SETGID",
"--memory=128m",
&image, &image,
]) ])
.output() .output()