anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0b9873982d5eb4a81592b4e08e54b3f080e18264
DECNET/deploy/decnet-api.service.j2
anti f8ef0a5cf1 fix(deploy): redirect DOCKER_CONFIG out of $HOME so ProtectHome doesn't kill builds 
The api unit's ProtectHome=read-only made the user's HOME read-only
inside the unit's namespace. docker compose --build then tried to
write ~/.docker/buildx/activity/* and got EROFS — which we'd been
misdiagnosing as a buildx wedge for the last few iterations.

Real fix: set DOCKER_CONFIG and BUILDX_CONFIG in the unit's
Environment= to a path inside ReadWritePaths. Hardening stays on,
docker CLI writes to install_dir/.docker instead of /home/<user>/.docker.

The wedge classifier now detects this case (count==0 + /home/ in
the stderr path) and emits a recipe pointing at the env-var fix
instead of the driver-rebuild path. Test added.

Wiki gets the new branch first since it's the most common cause
on systemd-managed installs.
2026-04-24 22:07:13 -04:00

50 lines
1.6 KiB
Django/Jinja
Raw Blame History

[Unit]
Description=DECNET API Service
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/REST-API-Reference
After=network-online.target docker.service
Wants=network-online.target
Requires=docker.service
[Service]
Type=simple
User={{ user }}
Group={{ group }}
# docker.sock is group-readable by 'docker'; the API ingester tails container logs.
SupplementaryGroups=docker
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.api.log
# ProtectHome=read-only (below) makes the user's $HOME read-only inside
# the unit's namespace, which breaks `docker compose build` because the
# CLI writes ~/.docker/buildx/activity/. Redirect the docker CLI's
# config root into install_dir (already in ReadWritePaths) so the
# hardening stays on without crippling the build path.
Environment=DOCKER_CONFIG={{ install_dir }}/.docker
Environment=BUILDX_CONFIG={{ install_dir }}/.docker/buildx
ExecStart={{ venv_dir }}/bin/decnet api
StandardOutput=append:/var/log/decnet/decnet.api.log
StandardError=append:/var/log/decnet/decnet.api.log
# MACVLAN/IPVLAN setup runs from the API lifespan when the embedded sniffer is on.
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths={{ install_dir }} /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink