fix: add uidmap/slirp4netns for rootless Podman, fix Tor permissions
Two critical issues found on fresh .198 install: 1. Podman broken — uidmap package missing from rootfs because --no-install-recommends dropped it. Without newuidmap, rootless Podman can't create user namespaces. Also add slirp4netns and fuse-overlayfs which are required for rootless networking and storage. 2. Tor hidden service dirs created with 750 permissions (setgid). Tor requires exactly 700. Added explicit mkdir + chmod 700 for all hidden service dirs before starting Tor. Both issues fixed on .198 live. Build script updated for future installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
b94428a97b
commit
eecc7e0e71
@ -245,6 +245,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
|||||||
openssh-server \
|
openssh-server \
|
||||||
nginx \
|
nginx \
|
||||||
podman \
|
podman \
|
||||||
|
uidmap \
|
||||||
|
slirp4netns \
|
||||||
|
fuse-overlayfs \
|
||||||
tor \
|
tor \
|
||||||
curl \
|
curl \
|
||||||
git \
|
git \
|
||||||
@ -1094,6 +1097,14 @@ HiddenServiceDir $TOR_DIR/hidden_service_fedimint
|
|||||||
HiddenServicePort 8175 127.0.0.1:8175
|
HiddenServicePort 8175 127.0.0.1:8175
|
||||||
TORRC
|
TORRC
|
||||||
|
|
||||||
|
# Create hidden service dirs with correct ownership and permissions (700, not 750)
|
||||||
|
# Tor refuses to start if permissions are too permissive
|
||||||
|
for svc in archipelago bitcoin electrumx lnd btcpay mempool fedimint; do
|
||||||
|
mkdir -p "$TOR_DIR/hidden_service_$svc"
|
||||||
|
chown debian-tor:debian-tor "$TOR_DIR/hidden_service_$svc"
|
||||||
|
chmod 700 "$TOR_DIR/hidden_service_$svc"
|
||||||
|
done
|
||||||
|
|
||||||
# Prefer system Tor (installed via apt)
|
# Prefer system Tor (installed via apt)
|
||||||
if command -v tor >/dev/null 2>&1; then
|
if command -v tor >/dev/null 2>&1; then
|
||||||
echo "$(date): Using system Tor daemon" >> "$LOG"
|
echo "$(date): Using system Tor daemon" >> "$LOG"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user