From 6cad154028d8cf03ec3343d68f9f8a44b79b8d8f Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Tue, 31 Mar 2026 23:19:09 +0100
Subject: [PATCH] fix: add NET_RAW capability to LND container for TLS cert
 generation

LND crashes with "netlinkrib: address family not supported by protocol"
in rootless podman because it needs NET_RAW to enumerate network
interfaces during TLS certificate generation. Added to capabilities
in config.rs, first-boot-containers.sh, and container-specs.sh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 core/archipelago/src/api/rpc/package/config.rs | 2 ++
 scripts/container-specs.sh                     | 1 +
 scripts/first-boot-containers.sh               | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/archipelago/src/api/rpc/package/config.rs b/core/archipelago/src/api/rpc/package/config.rs
index 92a89c82..0b0a994a 100644
--- a/core/archipelago/src/api/rpc/package/config.rs
+++ b/core/archipelago/src/api/rpc/package/config.rs
@@ -82,6 +82,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
         // Bitcoin and Lightning need file ownership ops + NET_BIND_SERVICE for port binding
+        // LND additionally needs NET_RAW for TLS certificate generation (netlinkrib interface enumeration)
         "bitcoin" | "bitcoin-core" | "bitcoin-knots" | "lnd" | "fedimint"
         | "fedimint-gateway" => vec![
             "--cap-add=CHOWN".to_string(),
@@ -90,6 +91,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETGID".to_string(),
             "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
+            "--cap-add=NET_RAW".to_string(),
         ],
         // Vaultwarden needs file ownership + NET_BIND_SERVICE (binds port 80 internally)
         "vaultwarden" => vec![
diff --git a/scripts/container-specs.sh b/scripts/container-specs.sh
index ae9ffa17..0ff9b7dd 100755
--- a/scripts/container-specs.sh
+++ b/scripts/container-specs.sh
@@ -183,6 +183,7 @@ load_spec_lnd() {
   SPEC_PORTS="9735:9735 10009:10009 8080:8080"
   SPEC_VOLUMES="/var/lib/archipelago/lnd:/root/.lnd"
   SPEC_MEMORY="$(mem_limit lnd)"
+  SPEC_CAPS="CHOWN FOWNER SETUID SETGID DAC_OVERRIDE NET_RAW"
   SPEC_HEALTH_CMD="lncli --tlscertpath /root/.lnd/tls.cert --macaroonpath /root/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --rpcserver localhost:10009 getinfo > /dev/null 2>&1 || exit 1"
   SPEC_TIER="2"
   SPEC_DATA_DIR="/var/lib/archipelago/lnd"
diff --git a/scripts/first-boot-containers.sh b/scripts/first-boot-containers.sh
index a4c86d39..12dda20b 100644
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -607,7 +607,7 @@ LNDCONF
   $DOCKER run -d --name lnd --restart unless-stopped \
     --health-cmd="curl -sf --insecure https://localhost:8080/v1/getinfo || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
     --memory=$(mem_limit lnd) --network archy-net \
-    --cap-drop ALL --cap-add CHOWN --cap-add FOWNER --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+    --cap-drop ALL --cap-add CHOWN --cap-add FOWNER --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE --cap-add NET_RAW \
     --security-opt no-new-privileges:true \
     -p 9735:9735 -p 10009:10009 -p 8080:8080 \
     -v /var/lib/archipelago/lnd:/root/.lnd \