feat: rootless podman, session hardening, boot stability, sidebar fix
Rootless podman migration (TASK-11): - Remove sudo from all podman calls in PodmanClient + 8 backend files - Remove sudo from all podman/docker calls in deploy script - Restore full systemd security hardening: NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict - Enable loginctl linger for rootless container persistence - Remove Ollama from auto-deploy (marketplace-only) Session & auth hardening: - Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms) - Debounced 401 redirect in rpc-client.ts (prevents redirect storms) Boot stability: - optimize-debian.sh: adds chrony, swap, removes policy-rc.d - deploy script: pre-restart chrony + swap setup - ISO build: chrony package, swap file creation - BootScreen: no longer clears localStorage (prevents splash replay) - RootRedirect: sole owner of localStorage clearing on server ready UI fixes: - Sidebar opacity default changed from 0→visible (fixes missing sidebar after page-persistence login without entrance animation) - Console.log/error wrapped in import.meta.env.DEV guards - Remove unused route import from RootRedirect Beta tracking: - CLAUDE.md: beta freeze protocol added - MASTER_PLAN.md: TASK-11, TASK-17, phase structure - BETA-PROGRESS.md: initial tracking doc - Tagged v1.2.0-alpha.1 as pre-rootless baseline Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -306,8 +306,8 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
|
||||
pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
|
||||
use std::process::Command;
|
||||
|
||||
let output = Command::new("sudo")
|
||||
.args(["podman", "ps", "--format", "{{.Names}}"])
|
||||
let output = Command::new("podman")
|
||||
.args(["ps", "--format", "{{.Names}}"])
|
||||
.output()
|
||||
.context("Failed to list containers")?;
|
||||
let names: Vec<String> = String::from_utf8_lossy(&output.stdout)
|
||||
@@ -325,8 +325,8 @@ pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
|
||||
for name in &names {
|
||||
debug!(container = %name, "Restarting container");
|
||||
|
||||
let restart = Command::new("sudo")
|
||||
.args(["podman", "restart", "--time", "30", name])
|
||||
let restart = Command::new("podman")
|
||||
.args(["restart", "--time", "30", name])
|
||||
.output();
|
||||
|
||||
match restart {
|
||||
@@ -335,8 +335,8 @@ pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
|
||||
let mut healthy = false;
|
||||
for _ in 0..12 {
|
||||
tokio::time::sleep(std::time::Duration::from_secs(5)).await;
|
||||
let check = Command::new("sudo")
|
||||
.args(["podman", "inspect", name, "--format", "{{.State.Status}}"])
|
||||
let check = Command::new("podman")
|
||||
.args(["inspect", name, "--format", "{{.State.Status}}"])
|
||||
.output();
|
||||
if let Ok(out) = check {
|
||||
let status = String::from_utf8_lossy(&out.stdout).trim().to_string();
|
||||
|
||||
Reference in New Issue
Block a user