release(v1.7.10-alpha): apply namespace fix + FIPS cascade + profile polish
THE apply fix archipelago.service uses ProtectSystem=strict, so /opt and /usr are read-only inside the service's mount namespace. sudo inherits that namespace — every sudo mkdir/mv/chown from apply_update was hitting EROFS even as root. Every prior "Failed to apply update" was a symptom of this. New `host_sudo()` helper wraps every filesystem call in `sudo systemd-run --wait --collect --pipe -- <cmd>`, which spawns a transient unit with systemd's default (no ProtectSystem) protections — the command runs in the host namespace and can touch /opt/archipelago + /usr/local/bin normally. FIPS cascade (#2) Home.vue and Server.vue both carry a FIPS row that previously only looked at {installed, service_active, key_present}. Now they also read anchor_connected + authenticated_peer_count and mirror the full FIPS card: green "Active · N peers" when healthy, orange "No anchor" when the DHT bootstrap has failed. Profile paste URL fallback (#4) Web5Identities.vue list + editor previously had `@error="display:none"` on the <img>, which hid the tag without re-rendering the fallback — a broken pasted URL showed up blank. Replaced with reactive pictureLoadFailed / listPictureFailed flags plus a watcher that resets on URL change. Broken URL now falls back to the initial (or identicon for seed-derived identities). Small-upload data URL (#3) Uploaded profile pictures ≤ 64 KB are now inlined as `data:image/png;base64,...` into profile.picture on the client before calling update-profile. That kind-0 event is fetchable by any Nostr client — no Tor needed. Larger uploads fall back to the onion-rooted public_url with a hint telling the user to paste a public https:// URL for broader visibility. Deferred: #1 FIPS Reconnect "actually fixes" — the current Reconnect calls fips.restart which clears the daemon state, but when the anchor is truly unreachable (UDP 8668 blocked by network/ISP), no amount of restart can help. A richer diagnostic is out of scope for this bundle. Artefacts: archipelago 4a77c704…82aa6f8 40379696 archipelago-frontend-1.7.10-alpha.tar.gz 0644a436…54f58 76983846 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -244,6 +244,32 @@ pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
|
||||
})
|
||||
}
|
||||
|
||||
/// Run a command as root, but *outside* the archipelago service's
|
||||
/// restricted mount namespace.
|
||||
///
|
||||
/// archipelago.service uses `ProtectSystem=strict`, which makes `/opt`
|
||||
/// and `/usr` read-only inside the service — and sudo inherits the
|
||||
/// namespace, so `sudo mv /opt/archipelago/...` fails with EROFS even
|
||||
/// though sudo itself is root. `systemd-run --wait` spawns a transient
|
||||
/// service unit that inherits systemd's default protections (i.e. none
|
||||
/// of ours), escaping the namespace.
|
||||
async fn host_sudo(args: &[&str]) -> Result<std::process::ExitStatus> {
|
||||
let mut full: Vec<&str> = vec![
|
||||
"systemd-run",
|
||||
"--wait",
|
||||
"--quiet",
|
||||
"--collect",
|
||||
"--pipe",
|
||||
"--",
|
||||
];
|
||||
full.extend_from_slice(args);
|
||||
tokio::process::Command::new("sudo")
|
||||
.args(&full)
|
||||
.status()
|
||||
.await
|
||||
.context("sudo systemd-run spawn failed")
|
||||
}
|
||||
|
||||
/// Apply a downloaded update. Backs up current binaries, replaces with staged versions.
|
||||
pub async fn apply_update(data_dir: &Path) -> Result<()> {
|
||||
let staging_dir = data_dir.join("update-staging");
|
||||
@@ -277,31 +303,25 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
|
||||
|
||||
match name.as_str() {
|
||||
"archipelago" => {
|
||||
// We're running FROM /usr/local/bin/archipelago right now,
|
||||
// so we can't rewrite it in place — `install` / `cp` would
|
||||
// hit ETXTBSY on the busy executable. Use `mv` instead:
|
||||
// rename() is atomic and doesn't modify the existing file,
|
||||
// it just re-points the path at a new inode. The currently
|
||||
// running process keeps executing off the old inode; new
|
||||
// invocations (i.e. after the post-apply systemctl
|
||||
// restart) pick up the new binary.
|
||||
// Two namespace gotchas this block works around:
|
||||
// 1. We're running FROM /usr/local/bin/archipelago, so
|
||||
// `install`/`cp` (O_TRUNC + write) fail with ETXTBSY.
|
||||
// Use `mv`, which is atomic rename() and tolerates a
|
||||
// busy destination.
|
||||
// 2. archipelago.service sets ProtectSystem=strict, so
|
||||
// even `sudo mv` into /usr/local/bin/ fails EROFS —
|
||||
// sudo inherits the service's mount namespace. Route
|
||||
// the rename through systemd-run so it runs in a
|
||||
// transient unit with default protections.
|
||||
let staged = src.to_string_lossy().to_string();
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["chmod", "0755", &staged])
|
||||
.status()
|
||||
.await;
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["chown", "root:root", &staged])
|
||||
.status()
|
||||
.await;
|
||||
let status = tokio::process::Command::new("sudo")
|
||||
.args(["mv", &staged, "/usr/local/bin/archipelago"])
|
||||
.status()
|
||||
let _ = host_sudo(&["chmod", "0755", &staged]).await;
|
||||
let _ = host_sudo(&["chown", "root:root", &staged]).await;
|
||||
let status = host_sudo(&["mv", &staged, "/usr/local/bin/archipelago"])
|
||||
.await
|
||||
.with_context(|| format!("Failed to spawn mv for {}", name))?;
|
||||
if !status.success() {
|
||||
anyhow::bail!(
|
||||
"sudo mv failed for {} (exit {:?})",
|
||||
"mv into /usr/local/bin failed for {} (exit {:?})",
|
||||
name,
|
||||
status.code()
|
||||
);
|
||||
@@ -320,78 +340,66 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
|
||||
let web_ui = "/opt/archipelago/web-ui";
|
||||
let backup_path = "/opt/archipelago/web-ui.bak";
|
||||
|
||||
let mk = tokio::process::Command::new("sudo")
|
||||
.args(["mkdir", "-p", &staging_new])
|
||||
.status()
|
||||
// All sudo calls that touch /opt/archipelago go through
|
||||
// host_sudo so they see a normal root mount namespace.
|
||||
let mk = host_sudo(&["mkdir", "-p", &staging_new])
|
||||
.await
|
||||
.context("Failed to create frontend staging dir")?;
|
||||
if !mk.success() {
|
||||
anyhow::bail!("mkdir {} failed", staging_new);
|
||||
}
|
||||
let extract = tokio::process::Command::new("sudo")
|
||||
.args(["tar", "-xzf", &src.to_string_lossy(), "-C", &staging_new])
|
||||
.status()
|
||||
.await
|
||||
.with_context(|| format!("Failed to extract {}", name))?;
|
||||
let extract = host_sudo(&[
|
||||
"tar",
|
||||
"-xzf",
|
||||
&src.to_string_lossy(),
|
||||
"-C",
|
||||
&staging_new,
|
||||
])
|
||||
.await
|
||||
.with_context(|| format!("Failed to extract {}", name))?;
|
||||
if !extract.success() {
|
||||
// Best-effort cleanup of the partial extraction.
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["rm", "-rf", &staging_new])
|
||||
.status()
|
||||
.await;
|
||||
let _ = host_sudo(&["rm", "-rf", &staging_new]).await;
|
||||
anyhow::bail!("tar extraction failed for {}", name);
|
||||
}
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["chown", "-R", "archipelago:archipelago", &staging_new])
|
||||
.status()
|
||||
.await;
|
||||
let _ = host_sudo(&[
|
||||
"chown",
|
||||
"-R",
|
||||
"archipelago:archipelago",
|
||||
&staging_new,
|
||||
])
|
||||
.await;
|
||||
|
||||
// Swap: mv current web-ui aside, then mv new into place.
|
||||
if Path::new(web_ui).exists() {
|
||||
let mv_old = tokio::process::Command::new("sudo")
|
||||
.args(["mv", web_ui, &staging_old])
|
||||
.status()
|
||||
let mv_old = host_sudo(&["mv", web_ui, &staging_old])
|
||||
.await
|
||||
.context("Failed to rotate old web-ui")?;
|
||||
if !mv_old.success() {
|
||||
anyhow::bail!("failed to move old web-ui aside");
|
||||
}
|
||||
}
|
||||
let mv_new = tokio::process::Command::new("sudo")
|
||||
.args(["mv", &staging_new, web_ui])
|
||||
.status()
|
||||
let mv_new = host_sudo(&["mv", &staging_new, web_ui])
|
||||
.await
|
||||
.context("Failed to swap new web-ui into place")?;
|
||||
if !mv_new.success() {
|
||||
// Roll back the rename so nginx keeps serving.
|
||||
if Path::new(&staging_old).exists() {
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["mv", &staging_old, web_ui])
|
||||
.status()
|
||||
.await;
|
||||
let _ = host_sudo(&["mv", &staging_old, web_ui]).await;
|
||||
}
|
||||
anyhow::bail!("failed to move new web-ui into place");
|
||||
}
|
||||
|
||||
// Rotate previous rollback aside (best-effort) and install
|
||||
// this apply's old copy as the new rollback.
|
||||
// Rotate previous rollback aside and install this apply's
|
||||
// old copy as the new rollback.
|
||||
if Path::new(&staging_old).exists() {
|
||||
if Path::new(backup_path).exists() {
|
||||
// Tag the previous backup with its own ts so it
|
||||
// doesn't collide; best-effort cleanup.
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args([
|
||||
"mv",
|
||||
backup_path,
|
||||
&format!("{}.{}", backup_path, ts),
|
||||
])
|
||||
.status()
|
||||
.await;
|
||||
}
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["mv", &staging_old, backup_path])
|
||||
.status()
|
||||
let _ = host_sudo(&[
|
||||
"mv",
|
||||
backup_path,
|
||||
&format!("{}.{}", backup_path, ts),
|
||||
])
|
||||
.await;
|
||||
}
|
||||
let _ = host_sudo(&["mv", &staging_old, backup_path]).await;
|
||||
}
|
||||
info!(name = %name, "Frontend archive extracted to /opt/archipelago/web-ui");
|
||||
}
|
||||
@@ -422,10 +430,10 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
|
||||
// starting the new process — it would deadlock otherwise.
|
||||
tokio::spawn(async {
|
||||
tokio::time::sleep(std::time::Duration::from_secs(2)).await;
|
||||
let _ = tokio::process::Command::new("sudo")
|
||||
.args(["systemctl", "--no-block", "restart", "archipelago"])
|
||||
.status()
|
||||
.await;
|
||||
// systemctl talks to PID 1 over D-Bus — doesn't need the host
|
||||
// mount namespace, but routing through host_sudo keeps the
|
||||
// apply flow's sudo calls uniform.
|
||||
let _ = host_sudo(&["systemctl", "--no-block", "restart", "archipelago"]).await;
|
||||
});
|
||||
|
||||
Ok(())
|
||||
|
||||
Reference in New Issue
Block a user