diff --git a/apps/blockchain-node/src/aitbc_chain/database.py b/apps/blockchain-node/src/aitbc_chain/database.py index 02078f32..d86eddd2 100755 --- a/apps/blockchain-node/src/aitbc_chain/database.py +++ b/apps/blockchain-node/src/aitbc_chain/database.py @@ -88,14 +88,24 @@ def init_db() -> None: raise # Set restrictive file permissions on database file and WAL files if settings.db_path.exists(): - os.chmod(settings.db_path, stat.S_IRUSR | stat.S_IWUSR) # Read/write for owner only + try: + os.chmod(settings.db_path, stat.S_IRUSR | stat.S_IWUSR) # Read/write for owner only + except OSError: + # Ignore permission errors (e.g., read-only filesystem in containers) + pass # Also set permissions on WAL files if they exist wal_shm = settings.db_path.with_suffix('.db-shm') wal_wal = settings.db_path.with_suffix('.db-wal') if wal_shm.exists(): - os.chmod(wal_shm, stat.S_IRUSR | stat.S_IWUSR) + try: + os.chmod(wal_shm, stat.S_IRUSR | stat.S_IWUSR) + except OSError: + pass if wal_wal.exists(): - os.chmod(wal_wal, stat.S_IRUSR | stat.S_IWUSR) + try: + os.chmod(wal_wal, stat.S_IRUSR | stat.S_IWUSR) + except OSError: + pass # Restricted engine access - only for internal use def get_engine(): diff --git a/systemd/aitbc-agent-coordinator.service b/systemd/aitbc-agent-coordinator.service index e7ebb976..52d1fc3e 100644 --- a/systemd/aitbc-agent-coordinator.service +++ b/systemd/aitbc-agent-coordinator.service @@ -21,8 +21,6 @@ TimeoutStopSec=10 # Production reliability Restart=always RestartSec=5 -StartLimitBurst=5 -StartLimitIntervalSec=60 # Production logging StandardOutput=journal @@ -31,9 +29,6 @@ SyslogIdentifier=aitbc-agent-coordinator # Production security NoNewPrivileges=true -ProtectSystem=strict -ProtectHome=true -ReadWritePaths=/var/lib/aitbc/data/agent-coordinator /var/log/aitbc/agent-coordinator # Production performance LimitNOFILE=65536