7a25c2453c
The web service runs with PrivateTmp=true, which puts it in its own mount namespace. Worker invokes the sandbox helper via sudo from there; the helper's pre-systemd-run `mount --bind --map-users=...` lands in the web service's namespace. systemd-run then spawns transient units in PID 1's namespace where the bind is invisible — the BindPaths lookup finds an empty staging dir owned by root, and the sandbox uid hits permission-denied on every write. Mirror the pattern from left4me-overlay's ExecStartPre wrapper: enter PID 1's mount namespace at the start of the helper via `nsenter --mount=/proc/1/ns/mnt`. Sentinel env var avoids exec recursion. The gameserver helper handles this at the unit level; the script helper doesn't have a unit so we self-wrap. Diagnosis: 5 failed builds all hit the same EACCES on the first `mkdir`/`tar mkdir`. Direct SSH-sudo invocations of the same helper succeeded because SSH-sudo doesn't inherit a private namespace; only the worker-invoked path is affected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| left4me | ||