fix: UI sidecar containers need --user 0:0 and CHOWN caps for rootless podman

The backend's post-install hooks create archy-bitcoin-ui, archy-lnd-ui, archy-electrs-ui containers but with only NET_BIND_SERVICE cap. Nginx inside these containers crashes on chown in rootless podman. Added --user=0:0, CHOWN, DAC_OVERRIDE, SETUID, SETGID caps to match the first-boot-containers.sh pattern. Also fixed manifest publish Python error (git log fails in rsync'd workspace with no .git). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 20:35:41 +01:00 · 2026-04-01 20:35:41 +01:00 · da9ecdf0ca
commit da9ecdf0ca
parent 8edb4ab4d1
2 changed files with 12 additions and 11 deletions
--- a/.gitea/workflows/build-iso-dev.yml
+++ b/.gitea/workflows/build-iso-dev.yml
@ -198,19 +198,13 @@ jobs:
          HOST=$(hostname -I 2>/dev/null | awk '{print $1}')
          BASE_URL="http://${HOST:-192.168.1.228}:8083/Builds/releases/v${VERSION}"

-          # Get changelog from recent commits
-          CHANGELOG=$(git log --oneline -10 --format='%s' | python3 -c "
-          import sys, json
-          lines = [l.strip() for l in sys.stdin if l.strip()]
-          print(json.dumps(lines[:10]))
-          " 2>/dev/null || echo '["Update to version '"$VERSION"'"]')
-
+          # Generate manifest JSON
          python3 -c "
          import json
          manifest = {
              'version': '$VERSION',
              'release_date': '$DATE',
-              'changelog': $CHANGELOG,
+              'changelog': ['Update to version $VERSION'],
              'components': []
          }
          if '$BACKEND_HASH':
@ -220,7 +214,7 @@ jobs:
                  'new_version': '$VERSION',
                  'download_url': '$BASE_URL/archipelago',
                  'sha256': '$BACKEND_HASH',
-                  'size_bytes': $BACKEND_SIZE
+                  'size_bytes': int('$BACKEND_SIZE' or '0')
              })
          if '$FRONTEND_HASH':
              manifest['components'].append({
@ -229,7 +223,7 @@ jobs:
                  'new_version': '$VERSION',
                  'download_url': '$BASE_URL/$FRONTEND_NAME',
                  'sha256': '$FRONTEND_HASH',
-                  'size_bytes': $FRONTEND_SIZE
+                  'size_bytes': int('$FRONTEND_SIZE' or '0')
              })
          print(json.dumps(manifest, indent=2))
          " | sudo tee "$RELEASE_DIR/manifest.json" > /dev/null
--- a/core/archipelago/src/api/rpc/package/install.rs
+++ b/core/archipelago/src/api/rpc/package/install.rs
@ -872,15 +872,22 @@ autopilot.active=false\n",
                };

                // Run with --network=host (UIs proxy to localhost backend/bitcoin)
+                // --user 0:0: run as root inside container (still unprivileged on host
+                // in rootless podman) to avoid nginx chown failures
                let run = tokio::process::Command::new("podman")
                    .args([
                        "run", "-d",
                        "--name", &name,
                        "--restart=unless-stopped",
                        "--network=host",
+                        "--user=0:0",
                        "--cap-drop=ALL",
+                        "--cap-add=CHOWN",
+                        "--cap-add=DAC_OVERRIDE",
                        "--cap-add=NET_BIND_SERVICE",
-                        "--memory=64m",
+                        "--cap-add=SETUID",
+                        "--cap-add=SETGID",
+                        "--memory=128m",
                        &image,
                    ])
                    .output()