From 72c376dd44456bdfe6a4b2346731978c62eee05e Mon Sep 17 00:00:00 2001 From: thespad Date: Fri, 14 Jun 2024 13:43:40 +0100 Subject: [PATCH 1/5] Support ro and user operation --- docker-mods.v3 | 48 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/docker-mods.v3 b/docker-mods.v3 index 49265d5..61657b8 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -7,7 +7,7 @@ # 2022-09-25 - Initial Release # 2024-04-13 - Let lsiown ignore broken symlinks (requires gnu find) # 2024-06-12 - Remove lsiown and legacy s6 handlers -MOD_SCRIPT_VER="3.20240612" +MOD_SCRIPT_VER="3.20240613" # Define custom folder paths SCRIPTS_DIR="/custom-cont-init.d" @@ -434,7 +434,7 @@ run_mods_local() { run_branding() { # intentional tabs in the heredoc - cat <<-EOF >/etc/s6-overlay/s6-rc.d/init-adduser/branding + cat <<-EOF | tee /run/branding /etc/s6-overlay/s6-rc.d/init-adduser/branding > /dev/null 2>&1 ─────────────────────────────────────── ██╗ ███████╗██╗ ██████╗ @@ -449,23 +449,43 @@ run_branding() { EOF } -# Run alias creation functions -create_with_contenv_alias - # Main script loop -if [[ -d "${SCRIPTS_DIR}" ]] || [[ -d "${SERVICES_DIR}" ]]; then - tamper_check - process_custom_services +if grep -qEe ' / \w+ ro' /proc/mounts; then + printf '1' > /run/s6/container_environment/LSIO_READ_ONLY_FS + LSIO_READ_ONLY_FS=1 fi -# Run mod logic -if [[ -n "${DOCKER_MODS+x}" ]] && [[ "${DOCKER_MODS_SIDELOAD,,}" = "true" ]]; then - run_mods_local -elif [[ -n "${DOCKER_MODS+x}" ]]; then - curl_check - run_mods +if [[ ! $(stat /run -c %u) == "0" ]]; then + printf '1' > /run/s6/container_environment/LSIO_NON_ROOT_USER + LSIO_NON_ROOT_USER=1 fi if [[ "${LSIO_FIRST_PARTY}" = "true" ]]; then run_branding fi + +if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then + # Run alias creation functions + create_with_contenv_alias + + if [[ -d "${SCRIPTS_DIR}" ]] || [[ -d "${SERVICES_DIR}" ]]; then + tamper_check + process_custom_services + fi + + # Run mod logic + if [[ -n "${DOCKER_MODS+x}" ]] && [[ "${DOCKER_MODS_SIDELOAD,,}" = "true" ]]; then + run_mods_local + elif [[ -n "${DOCKER_MODS+x}" ]]; then + curl_check + run_mods + fi + +else +echo "╔═════════════════════════════════════════════════════════════════════════╗ +║ ║ +║ You are running this container read-only or as a non-root user: ║ +║ UMASK, custom services, & docker mod functionality will be disabled ║ +║ ║ +╚═════════════════════════════════════════════════════════════════════════╝" +fi From 47d945ae9cc540c1edf4dc8f40a5cca78372081a Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 23 Jun 2024 12:51:04 +0100 Subject: [PATCH 2/5] Split informational messages --- docker-mods.v3 | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/docker-mods.v3 b/docker-mods.v3 index 61657b8..55cbb71 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -480,12 +480,27 @@ if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then curl_check run_mods fi - -else +elif [[ -n ${LSIO_READ_ONLY_FS} ]]; then echo "╔═════════════════════════════════════════════════════════════════════════╗ ║ ║ -║ You are running this container read-only or as a non-root user: ║ +║ You are running this container read-only: ║ ║ UMASK, custom services, & docker mod functionality will be disabled ║ ║ ║ ╚═════════════════════════════════════════════════════════════════════════╝" +elif [[ -n ${LSIO_NON_ROOT_USER} ]]; then +echo "╔═════════════════════════════════════════════════════════════════════════╗ +║ ║ +║ You are running this container as a non-root user: ║ +║ UMASK, custom services, & docker mod functionality will be disabled ║ +║ and the PUID/PGID environment variables will have no effect. ║ +║ ║ +╚═════════════════════════════════════════════════════════════════════════╝" +else +echo "╔═════════════════════════════════════════════════════════════════════════╗ +║ ║ +║ You are running this container read-only and as a non-root user: ║ +║ This combination of settings is not supported ║ +║ and may result in unwanted behaviour. ║ +║ ║ +╚═════════════════════════════════════════════════════════════════════════╝" fi From a673dd140993c23d1f7e5e8da0e73ec742615868 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 23 Jun 2024 12:53:32 +0100 Subject: [PATCH 3/5] Fix ordering --- docker-mods.v3 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docker-mods.v3 b/docker-mods.v3 index 55cbb71..2f86ebe 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -480,6 +480,14 @@ if [[ -z ${LSIO_READ_ONLY_FS} ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then curl_check run_mods fi +elif [[ -n ${LSIO_READ_ONLY_FS} ]] && [[ -n ${LSIO_NON_ROOT_USER} ]]; then +echo "╔═════════════════════════════════════════════════════════════════════════╗ +║ ║ +║ You are running this container read-only and as a non-root user: ║ +║ This combination of settings is not supported ║ +║ and may result in unwanted behaviour. ║ +║ ║ +╚═════════════════════════════════════════════════════════════════════════╝" elif [[ -n ${LSIO_READ_ONLY_FS} ]]; then echo "╔═════════════════════════════════════════════════════════════════════════╗ ║ ║ @@ -495,12 +503,4 @@ echo "╔═══════════════════════ ║ and the PUID/PGID environment variables will have no effect. ║ ║ ║ ╚═════════════════════════════════════════════════════════════════════════╝" -else -echo "╔═════════════════════════════════════════════════════════════════════════╗ -║ ║ -║ You are running this container read-only and as a non-root user: ║ -║ This combination of settings is not supported ║ -║ and may result in unwanted behaviour. ║ -║ ║ -╚═════════════════════════════════════════════════════════════════════════╝" fi From 65bb4487882953b68712fed5fb98fccf6e15cefd Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 26 Jun 2024 16:42:42 +0100 Subject: [PATCH 4/5] Update changelog --- README.md | 1 + docker-mods.v3 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d14197..fd93e4f 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ These files are used by Linuxserver build processes to handle mods in our images. Not for end-user consumption. +* **26.06.24:** - Add RO and User handlers. * **10.06.24:** - Move lsiown to its own file. Remove support for legacy v2 and hybrid mods. * **13.04.24:** - Let lsiown ignore broken symlinks (requires gnu find). * **26.03.24:** - Add versioning and debug logging to package install script, force venv creation when python packages are to be installed. diff --git a/docker-mods.v3 b/docker-mods.v3 index 2f86ebe..1485657 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -7,7 +7,7 @@ # 2022-09-25 - Initial Release # 2024-04-13 - Let lsiown ignore broken symlinks (requires gnu find) # 2024-06-12 - Remove lsiown and legacy s6 handlers -MOD_SCRIPT_VER="3.20240613" +MOD_SCRIPT_VER="3.20240626" # Define custom folder paths SCRIPTS_DIR="/custom-cont-init.d" From 6460c9f6e9d0d27ca00045ba95519b5d180ae028 Mon Sep 17 00:00:00 2001 From: thespad Date: Wed, 26 Jun 2024 17:11:17 +0100 Subject: [PATCH 5/5] Fix RO note --- docker-mods.v3 | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-mods.v3 b/docker-mods.v3 index 1485657..cc64fda 100755 --- a/docker-mods.v3 +++ b/docker-mods.v3 @@ -493,6 +493,7 @@ echo "╔═══════════════════════ ║ ║ ║ You are running this container read-only: ║ ║ UMASK, custom services, & docker mod functionality will be disabled ║ +║ and the PUID/PGID environment variables will have no effect. ║ ║ ║ ╚═════════════════════════════════════════════════════════════════════════╝" elif [[ -n ${LSIO_NON_ROOT_USER} ]]; then