From ff8f11b87ef3b5691a1d434860fa440ba0798094 Mon Sep 17 00:00:00 2001 From: archipelago Date: Sun, 21 Jun 2026 17:24:34 -0400 Subject: [PATCH] fix(indeedhub): frontend nginx needs SET{UID,GID}+CHOWN+DAC_OVERRIDE under cap-drop-ALL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Live fresh-create on .228 (post special-case removal) had nginx workers die with "setgid(101) failed (Operation not permitted)" → workers exited code 2, port published but nothing served (HTTP 000). The orchestrator does --cap-drop=ALL, so unlike the legacy `podman run` (default caps) nginx's master couldn't drop workers to the nginx user. Declare CHOWN/DAC_OVERRIDE/SETGID/SETUID (SET* to drop the worker user, CHOWN+DAC_OVERRIDE for the tmpfs proxy cache). Verified on .228: frontend fresh-creates, caps applied, nginx serves, UI 200 incl. /api/ and /nostr-provider.js. Co-Authored-By: Claude Opus 4.8 (1M context) --- apps/indeedhub/manifest.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/indeedhub/manifest.yml b/apps/indeedhub/manifest.yml index 45c8ad3c..f3f5b1cb 100644 --- a/apps/indeedhub/manifest.yml +++ b/apps/indeedhub/manifest.yml @@ -25,7 +25,12 @@ app: disk_limit: 1Gi security: - capabilities: [] + # nginx master runs as root and drops workers to the nginx user (uid/gid + # 101) — needs SET{UID,GID}; CHOWN + DAC_OVERRIDE let it own + write the + # proxy cache under the tmpfs /var/cache/nginx. The orchestrator does + # --cap-drop=ALL, so (unlike the legacy `podman run` default caps) these + # must be declared or nginx workers die with "setgid(101) failed". + capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID] readonly_root: false network_policy: isolated