diff --git a/.github/workflows/backend-deploy.yml b/.github/workflows/backend-deploy.yml index 4fcee55..9373273 100644 --- a/.github/workflows/backend-deploy.yml +++ b/.github/workflows/backend-deploy.yml @@ -237,7 +237,7 @@ jobs: # and ops/egress_firewall.py consume REDIS_URL, and the firewall # self-test checks host:port reachability only, DB-agnostic). echo "Validating full boot (root-init + read-only rootfs + /health/) on the new image (pre-cutover)..." - podman run --rm --cap-drop=ALL --cap-add=NET_ADMIN --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=SETPCAP --pids-limit=1024 --read-only --tmpfs=/tmp:rw,size=512m,mode=1777 --tmpfs=/app/staticfiles:rw,uid=1001,gid=1001 --tmpfs=/home/fingpt:rw,uid=1001,gid=1001 --tmpfs=/app/runtime:rw,size=512m --memory=1.7g --memory-swap=2g --network fingpt-net \ + podman run --rm --cap-drop=ALL --cap-add=NET_ADMIN --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=SETPCAP --pids-limit=1024 --read-only --tmpfs=/tmp:rw,size=512m,mode=1777 --tmpfs=/app/staticfiles:rw,mode=0755 --tmpfs=/home/fingpt:rw,mode=0755 --tmpfs=/app/runtime:rw,size=512m --memory=1.7g --memory-swap=2g --network fingpt-net \ --env-file /home/deploy/fingpt/envs/.env.production \ --env REDIS_URL=redis://fingpt-redis:6379/15 \ --env BOOT_CHECK_ONLY=1 \ @@ -287,10 +287,16 @@ jobs: # (--disable-dev-shm-usage), nft mktemp at root-init, # /tmp/fingpt_cache; sized + world-writable-sticky; # /app/staticfiles collectstatic writes it at boot (0 files today, kept - # writable as future-proofing); uid1001 tmpfs; + # writable as future-proofing); mode=0755 tmpfs, + # chowned to fingpt by root-init (see below); # /home/fingpt fontconfig cache, edgartools ~/.edgar import-time - # marker, yfinance cache; MUST carry uid=1001,gid=1001 - # or the MCP-child EACCES bug (#331 class) returns. + # marker, yfinance cache; MUST end up fingpt-owned or + # the MCP-child EACCES bug (#331 class) returns. podman + # 5.6.2 rejects tmpfs uid=/gid= mount options outright, + # so ownership is NOT set here -- entrypoint.sh root-init + # chowns both dirs while PID1 still holds CAP_CHOWN. + # mode=0755 (not the tmpfs default 1777) lands them + # owner-writable, not world-writable. # /app/logs and /app/media are vestigial with ZERO writers -- deliberately # NOT tmpfs, so a future stray write fails LOUDLY instead of vanishing # into RAM. Playwright's DEPENDENCIES_VALIDATED marker is pre-baked at @@ -307,7 +313,7 @@ jobs: cat > "$OVERRIDE_DIR/override.conf" <