56b9523d88
The job worker calls fusermount3 (setuid-root) to mount per-instance FUSE overlays and sudo to invoke the privileged systemctl wrapper. NoNewPrivileges=true blocks both, surfacing as "fusermount3: mount failed: Operation not permitted" the first time a server is started. Hardening is still enforced via dedicated user, PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers allowlist limited to two helper scripts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| files | ||
| templates/etc/left4me | ||
| tests | ||
| deploy-test-server.sh | ||
| README.md | ||
left4me Deployment
This directory contains the production-like test deployment for a Linux server. It installs the repository into a fixed host layout, configures a dedicated runtime user, installs systemd units, and wires the web app to host operations through privileged helper commands.
Target Layout
The deployment uses these paths:
/etc/left4me/host.env: host library environment configuration./etc/left4me/web.env: web app environment configuration./opt/left4me/.venv: Python virtual environment for deployed commands./opt/left4me: deployed repository contents./var/lib/left4me/left4me.db: SQLite database used by the web app./var/lib/left4me/installation: shared L4D2 installation./var/lib/left4me/overlays: externally managed overlay directories./var/lib/left4me/instances: rendered instance specifications and per-instance state./var/lib/left4me/runtime: per-instance runtime mount directories./var/lib/left4me/tmp: temporary files used by deployment/runtime operations./usr/local/lib/systemd/system: global systemd unit files, includingleft4me-server@.service./usr/local/libexec/left4me: privileged helper commands, includingleft4me-systemctlandleft4me-journalctl./etc/sudoers.d/left4me: sudoers rules allowing the web/runtime commands to call the helpers non-interactively.
Static units are generated for /var/lib/left4me. If LEFT4ME_ROOT changes, regenerate and reinstall the unit files instead of reusing the existing static units.
Runtime User
The deployment creates and runs host operations as the dedicated runtime user:
- Username:
left4me - Home:
/var/lib/left4me - Shell:
/usr/sbin/nologin
Running A Test Deployment
Run the deployment from the repository root:
deploy/deploy-test-server.sh deploy-user@example-host
The SSH user must be able to run sudo on the target host. The deployment configures system packages, directories, environment files, helper scripts, sudoers rules, Python dependencies, and systemd units.
Admin Bootstrap
Set the bootstrap credentials in the environment when creating the first admin user:
LEFT4ME_ADMIN_USERNAME=admin \
LEFT4ME_ADMIN_PASSWORD='change-me' \
flask create-user "$LEFT4ME_ADMIN_USERNAME" --admin
Use a strong one-time password and rotate it after first login if needed.
Overlay References
Overlay references are relative paths below ${LEFT4ME_ROOT}/overlays. With the default deployment root, they resolve under /var/lib/left4me/overlays.
Valid examples:
standardcompetitive/baseusers/42/custom
Invalid references are rejected:
- Absolute paths such as
/srv/overlay. - Parent traversal such as
../otherorcompetitive/../../base. - Empty path components such as
competitive//base. - Symlink escapes that resolve outside
${LEFT4ME_ROOT}/overlays.
Overlay content is external to the host library and deployment contract. Populate overlay directories separately before referencing them from blueprints or instance specs.