projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(update): Upgrade-Skript ausserhalb /tmp wegen PrivateTmp

Browse Source 
edgeguard-api.service hat PrivateTmp=true → schreibt in privates /tmp.
Die per `sudo systemd-run` gestartete Transient-Unit sah das nicht und
brach mit "bash: /tmp/edgeguard-upgrade.sh: No such file or directory"
ab — Modal hing endlos. Pfad jetzt /var/lib/edgeguard/upgrade.sh
(edgeguard-owned, persistent, in beiden Namespaces sichtbar). Sudoers
entsprechend angepasst.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-11 22:21:59 +02:00
parent 8f56122a90
commit 2fac8f40dd
7 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/handlers/system.go
View File

@@ -242,6 +242,12 @@ func (h *SystemHandler) PackageVersions(c *gin.Context) {
func (h *SystemHandler) Upgrade(c *gin.Context) {
slog.Info("starting package upgrade (detached)")
// Skript landet NICHT in /tmp — edgeguard-api.service hat
// PrivateTmp=true und sieht damit ein eigenes /tmp, das die
// per `sudo systemd-run` gestartete Transient-Unit nicht sieht.
// /var/lib/edgeguard ist edgeguard-owned + persistent + von
// beiden Namespaces aus zugänglich.
const scriptPath = "/var/lib/edgeguard/upgrade.sh"
const script = `#!/bin/bash
set -e
sleep 2
@@ -253,9 +259,9 @@ apt-get update -qq
echo "[upgrade] apt-get install -y edgeguard-api edgeguard-ui edgeguard"
apt-get install -y -qq -o Dpkg::Options::=--force-confold edgeguard-api edgeguard-ui edgeguard
echo "[upgrade] complete"
rm -f /tmp/edgeguard-upgrade.sh
rm -f /var/lib/edgeguard/upgrade.sh
`
if err := os.WriteFile("/tmp/edgeguard-upgrade.sh", []byte(script), 0o755); err != nil {
if err := os.WriteFile(scriptPath, []byte(script), 0o755); err != nil {
response.Internal(c, err)
return
}
@@ -272,12 +278,12 @@ rm -f /tmp/edgeguard-upgrade.sh
"--unit="+unitName,
"--description=EdgeGuard self-upgrade",
"--collect",
"bash", "/tmp/edgeguard-upgrade.sh")
"bash", scriptPath)
if err := cmd.Run(); err != nil {
// systemd-run unavailable (dev env without sudo) — fall back
// to setsid. In Prod sollte das nie greifen.
slog.Warn("upgrade: sudo systemd-run failed, falling back to setsid", "error", err)
fallback := exec.Command("setsid", "bash", "/tmp/edgeguard-upgrade.sh")
fallback := exec.Command("setsid", "bash", scriptPath)
fallback.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
if err2 := fallback.Start(); err2 != nil {
response.Internal(c, err2)