From bc2f643b0e80a94aa04e37e9332c80da13bcaf82 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 19 Oct 2025 16:22:03 +0000 Subject: [PATCH] feat: add user-friendly explanation for socket bind mount MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added clear messaging to explain why the socket bind mount is configured, focusing on the security benefits rather than technical implementation. Changes: - Add explanatory header "Secure Container Communication Setup" - Explain the three key benefits: • Container communicates via Unix socket (not SSH) • No SSH keys exposed inside container (enhanced security) • Proxy on host manages all temperature collection - Update technical messages to be more user-friendly: • "Configuring socket bind mount" instead of "Ensuring..." • "Restarting container to activate secure communication" • "Verifying secure communication channel" • "✓ Secure socket communication ready" • "Configuring Pulse to use proxy" This helps users understand WHY the bind mount exists (security) rather than just seeing technical implementation details. --- scripts/install-sensor-proxy.sh | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/scripts/install-sensor-proxy.sh b/scripts/install-sensor-proxy.sh index 3bd2ec742..59203955a 100755 --- a/scripts/install-sensor-proxy.sh +++ b/scripts/install-sensor-proxy.sh @@ -742,8 +742,19 @@ fi # Container-specific configuration (skip for standalone mode) if [[ "$STANDALONE" == false ]]; then + echo "" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo " Secure Container Communication Setup" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + echo "Setting up secure socket mount for temperature monitoring:" + echo " • Container communicates with host proxy via Unix socket" + echo " • No SSH keys exposed inside container (enhanced security)" + echo " • Proxy on host manages all temperature collection" + echo "" + # Ensure container mount via mp configuration - print_info "Ensuring container socket mount configuration..." + print_info "Configuring socket bind mount..." MOUNT_TARGET="/mnt/pulse-proxy" LXC_CONFIG="/etc/pve/lxc/${CTID}.conf" CONFIG_CONTENT=$(pct config "$CTID") @@ -801,7 +812,7 @@ fi # Restart container to apply mount if configuration changed or mount missing if [[ "$MOUNT_UPDATED" = true ]]; then - print_info "Restarting container to apply socket mount..." + print_info "Restarting container to activate secure communication..." if [[ "$CT_RUNNING" = true ]]; then pct restart "$CTID" else @@ -814,9 +825,9 @@ fi if [[ "$HOTPLUG_FAILED" = true && "$CT_RUNNING" = true ]]; then print_warn "Skipping socket verification until container $CTID is restarted." else - print_info "Verifying socket accessibility..." + print_info "Verifying secure communication channel..." if pct exec "$CTID" -- test -S "${MOUNT_TARGET}/pulse-sensor-proxy.sock"; then - print_info "Socket is accessible in container at ${MOUNT_TARGET}/pulse-sensor-proxy.sock" + print_info "✓ Secure socket communication ready" else print_warn "Socket not visible at ${MOUNT_TARGET}/pulse-sensor-proxy.sock" print_info "Check container configuration and restart if necessary" @@ -824,7 +835,7 @@ else fi # Configure Pulse backend environment override inside container -print_info "Configuring Pulse backend to use mounted proxy socket..." +print_info "Configuring Pulse to use proxy..." pct exec "$CTID" -- bash -lc "mkdir -p /etc/systemd/system/pulse-backend.service.d" pct exec "$CTID" -- bash -lc "cat <<'EOF' >/etc/systemd/system/pulse-backend.service.d/10-pulse-proxy.conf [Service]