From 6a0690a8f75c1f0525fd6e0f2453936ac18dbf70 Mon Sep 17 00:00:00 2001 From: Anthony Ettinger Date: Mon, 15 Jun 2026 13:57:09 +0000 Subject: [PATCH] refactor(pods): drop redundant tuneApt apt-sandbox hack The rootless-podman default capability set (already on main) lets apt drop to the _apt user on its own, so disabling the apt download sandbox via tuneApt is dead code. Removing it; apt now works the proper way. Co-Authored-By: Claude Opus 4.8 --- internal/pods/pods.go | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/internal/pods/pods.go b/internal/pods/pods.go index 0b10acb..b93b6ec 100644 --- a/internal/pods/pods.go +++ b/internal/pods/pods.go @@ -135,7 +135,6 @@ func (m *Manager) ensure(user string) (string, error) { _ = exec.Command(m.engine, "rm", "-f", name).Run() // fall through to recreate with the bind } else { _ = exec.Command(m.engine, "start", name).Run() // no-op if running - m.tuneApt(name) return name, nil } } @@ -178,28 +177,9 @@ func (m *Manager) ensure(user string) (string, error) { if err != nil { return "", fmt.Errorf("pods: create failed: %v: %s", err, strings.TrimSpace(string(out))) } - m.tuneApt(name) return name, nil } -// tuneApt makes apt usable inside the hardened pod. apt drops privileges to -// the _apt user for downloads (setgroups/setegid/seteuid), which needs -// CAP_SETUID/CAP_SETGID/CAP_CHOWN — caps we intentionally drop (cap-drop ALL). -// Rather than re-grant those to the whole container, disable apt's download -// sandbox so package management runs as the pod's (rootless-mapped) root. -// -// Only applies to the podman/container-root path; under docker the pod runs as -// uid 1000 and can't write /etc/apt (apt isn't usable there by design). Failure -// is non-fatal: a missing config just means the user sees the old apt errors. -func (m *Manager) tuneApt(name string) { - if m.engine == "docker" { - return - } - _ = exec.Command(m.engine, "exec", "--user", "root", name, - "sh", "-c", `printf 'APT::Sandbox::User "root";\n' > /etc/apt/apt.conf.d/00no-sandbox`, - ).Run() -} - // Attach provisions the pod and wires the SSH session to a shell inside it. // Blocks until the shell exits or the session closes. func (m *Manager) Attach(s ssh.Session, user string) error {