fix: rootless podman scanning — relax namespace/syscall restrictions
RestrictNamespaces and SystemCallFilter block rootless podman from creating user namespaces needed for container isolation. Removed these along with RestrictSUIDSGID (implied by NoNewPrivileges). ProtectHome set to no (rootless podman needs ~/.local/share/containers writable). Remaining active protections: NoNewPrivileges, ProtectSystem=strict, ReadWritePaths, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, SystemCallArchitectures=native. Also reduced initial scan delay from 15s to 3s for faster container visibility after boot, and removed Ollama from auto-deploy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -217,8 +217,8 @@ impl Server {
|
||||
|
||||
// Initial scan (delayed to let crash recovery finish first)
|
||||
tokio::spawn(async move {
|
||||
// Wait for crash recovery to start containers before scanning
|
||||
tokio::time::sleep(Duration::from_secs(15)).await;
|
||||
// Brief delay for containers to stabilize after boot
|
||||
tokio::time::sleep(Duration::from_secs(3)).await;
|
||||
info!("🐳 Scanning containers...");
|
||||
if let Err(e) = scan_and_update_packages(&scanner, &state, identity_clone.as_ref()).await {
|
||||
error!("Failed to scan containers: {}", e);
|
||||
|
||||
Reference in New Issue
Block a user