fix: rootless podman scanning — relax namespace/syscall restrictions

RestrictNamespaces and SystemCallFilter block rootless podman from
creating user namespaces needed for container isolation. Removed these
along with RestrictSUIDSGID (implied by NoNewPrivileges). ProtectHome
set to no (rootless podman needs ~/.local/share/containers writable).

Remaining active protections: NoNewPrivileges, ProtectSystem=strict,
ReadWritePaths, RestrictAddressFamilies, MemoryDenyWriteExecute,
RestrictRealtime, SystemCallArchitectures=native.

Also reduced initial scan delay from 15s to 3s for faster container
visibility after boot, and removed Ollama from auto-deploy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-18 14:22:00 +00:00
parent 39c7ac1924
commit 7f5bbbd74c
2 changed files with 9 additions and 9 deletions

View File

@@ -217,8 +217,8 @@ impl Server {
// Initial scan (delayed to let crash recovery finish first)
tokio::spawn(async move {
// Wait for crash recovery to start containers before scanning
tokio::time::sleep(Duration::from_secs(15)).await;
// Brief delay for containers to stabilize after boot
tokio::time::sleep(Duration::from_secs(3)).await;
info!("🐳 Scanning containers...");
if let Err(e) = scan_and_update_packages(&scanner, &state, identity_clone.as_ref()).await {
error!("Failed to scan containers: {}", e);