From a0e6822bf3c37a7d142f469934b945db89effa40 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 18:33:48 +0000 Subject: [PATCH 01/19] Remove unrequired files from image --- .dockerignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.dockerignore b/.dockerignore index 79673e81..c4a0cf73 100644 --- a/.dockerignore +++ b/.dockerignore @@ -10,6 +10,10 @@ docker-compose.yml .gitlab-ci.yml # root +.editorconfig +.pylintrc +.venv +.vscode crafty_commander.exe DBCHANGES.md docker-compose.yml.example From a488802847ed9a3506c3c4a531ecd8e2477af531 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 18:35:24 +0000 Subject: [PATCH 02/19] Add required userns env variables And missing TZ var --- docker-compose.yml.example | 6 +++++- docker/docker-compose.yml | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml.example b/docker-compose.yml.example index de5700f1..05b023a2 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -4,6 +4,10 @@ services: crafty: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest + environment: + - PGID=0 + - PUID=0 + - TZ=Etc/UTC ports: - "8000:8000" # HTTP - "8443:8443" # HTTPS @@ -15,4 +19,4 @@ services: - ./docker/logs:/commander/logs - ./docker/servers:/commander/servers - ./docker/config:/commander/app/config - - ./import:/commander/import + - ./docker/import:/commander/import diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 5e751d30..8988a6b9 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -4,6 +4,10 @@ services: crafty: container_name: crafty_commander build: .. + environment: + - PGID=0 + - PUID=0 + - TZ=Etc/UTC ports: - "8000:8000" # HTTP - "8443:8443" # HTTPS From 0de6948b4c411a07198787dea7e222daea9d3f8a Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 18:38:30 +0000 Subject: [PATCH 03/19] Rework rebased Dockerfile for an attempt at userns --- Dockerfile | 39 +++++++++++++++++++++++++++++++-------- docker_launcher.sh | 2 ++ 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index cb081b62..07d1a4b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,18 +7,39 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages And Dependencies -COPY requirements.txt /commander/requirements.txt -RUN apt update \ -&& apt install -y gcc python3 python3-pip libmariadb-dev openjdk-8-jre-headless openjdk-11-jre-headless openjdk-16-jre-headless openjdk-17-jre-headless default-jre \ -&& pip3 install --no-cache-dir -r /commander/requirements.txt +# Install Packages, Dependencies and Setup user +COPY requirements.txt /commander-venv/requirements.txt +RUN groupadd -g "${PGID:-0}" -o crafty \ + && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ + && apt-get update \ + && apt-get -y --no-install-recommends install \ + gcc \ + python3 \ + python3-dev \ + python3-pip \ + python3-venv \ + libmariadb-dev \ + default-jre \ + openjdk-8-jre-headless \ + openjdk-11-jre-headless \ + openjdk-16-jre-headless \ + openjdk-17-jre-headless \ + && apt-get autoremove \ + && apt-get clean \ + && python3 -m venv /commander-venv/ \ + && . /commander-venv/bin/activate \ + && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==20.3.3 \ + && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ + && deactivate \ + && chown -R crafty:crafty /commander-venv # Copy Source & copy default config from image COPY ./ /commander WORKDIR /commander RUN mv ./app/config ./app/config_original \ -&& mv ./app/config_original/default.json.example ./app/config_original/default.json \ -&& chmod +x ./docker_launcher.sh + && mv ./app/config_original/default.json.example ./app/config_original/default.json \ + && chown -R crafty:crafty /commander \ + && chmod +x ./docker_launcher.sh # Expose Web Interface port & Server port range EXPOSE 8000 @@ -26,6 +47,8 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper +# Start Crafty Commander through wrapper as crafty +USER crafty ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] + diff --git a/docker_launcher.sh b/docker_launcher.sh index 3cec85fd..3eed33b8 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,4 +6,6 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi +# Activate our prepared venv and launch crafty with provided args +. /commander-venv/bin/activate exec python3 main.py $@ From cef4fac8233128ab9cd35ce05c6c18705ea59362 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 19:25:23 +0000 Subject: [PATCH 04/19] Correct MC Serv Port range to 100 ports default To match Dockerfile --- docker-compose.yml.example | 2 +- docker/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 05b023a2..852c9a80 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -13,7 +13,7 @@ services: - "8443:8443" # HTTPS - "8123:8123" # DYNMAP - "19132:19132/udp" # BEDROCK - - "24000-25600:24000-25600" # MC SERV PORT RANGE + - "25500-25600:25500-25600" # MC SERV PORT RANGE volumes: - ./docker/backups:/commander/backups - ./docker/logs:/commander/logs diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 8988a6b9..b40dd3d0 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -13,7 +13,7 @@ services: - "8443:8443" # HTTPS - "8123:8123" # DYNMAP - "19132:19132/udp" # BEDROCK - - "24000-25600:24000-25600" # MC SERV PORT RANGE + - "25500-25600:25500-25600" # MC SERV PORT RANGE volumes: - ./backups:/commander/backups - ./logs:/commander/logs From 0bacad024545f6aa15b40b0363704cfdb036bcfb Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 20:55:31 +0000 Subject: [PATCH 05/19] Apply file perms from env in entrypoint --- Dockerfile | 1 - docker_launcher.sh | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 07d1a4b2..302310e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,4 +51,3 @@ EXPOSE 25500-25600 USER crafty ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] - diff --git a/docker_launcher.sh b/docker_launcher.sh index 3eed33b8..7af8edbd 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,6 +6,15 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi +# Set user/group permissions to env or default to image root +groupmod -g "${PGID}" -o crafty +sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd + +# Apply new permissions taken from env over working dirs +chown -R crafty:crafty \ + /commander/ \ + /commander-venv/ + # Activate our prepared venv and launch crafty with provided args . /commander-venv/bin/activate exec python3 main.py $@ From 44d36b84f239e1d9de6843ccdcc254497b8cf8a8 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 27 Feb 2022 21:25:44 +0000 Subject: [PATCH 06/19] Update pip in dep build --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 302310e4..e798a102 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,7 +28,7 @@ RUN groupadd -g "${PGID:-0}" -o crafty \ && apt-get clean \ && python3 -m venv /commander-venv/ \ && . /commander-venv/bin/activate \ - && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==20.3.3 \ + && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ && deactivate \ && chown -R crafty:crafty /commander-venv From 98c0c403c9ee13aad9e87c9f13c9d0f170649268 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Mon, 28 Feb 2022 20:01:14 +0000 Subject: [PATCH 07/19] Investigating a different approach of non root These commits are 100% getting squashed. Just got to test this on my production machine. Definitely not sure if this is the right way of doing it experimenting. --- Dockerfile | 23 ++++++++++++----------- docker-compose.yml.example | 2 -- docker/docker-compose.yml | 2 -- docker_launcher.sh | 9 --------- 4 files changed, 12 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index e798a102..474fd3ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,9 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages, Dependencies and Setup user +# Install Packages and Setup Dependencies in venv COPY requirements.txt /commander-venv/requirements.txt -RUN groupadd -g "${PGID:-0}" -o crafty \ - && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ - && apt-get update \ +RUN apt-get update \ && apt-get -y --no-install-recommends install \ gcc \ python3 \ @@ -30,16 +28,20 @@ RUN groupadd -g "${PGID:-0}" -o crafty \ && . /commander-venv/bin/activate \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ - && deactivate \ - && chown -R crafty:crafty /commander-venv + && deactivate -# Copy Source & copy default config from image +# Copy Source and prepare config if needed, Then apply permissions. COPY ./ /commander WORKDIR /commander RUN mv ./app/config ./app/config_original \ && mv ./app/config_original/default.json.example ./app/config_original/default.json \ - && chown -R crafty:crafty /commander \ - && chmod +x ./docker_launcher.sh + && chown -R 1001:0 /commander /commander-venv \ + && chmod -R g=u /commander /commander-venv \ + && chmod +x ./docker_launcher.sh \ + && chmod 775 /commander /commander-venv + +# Switch user to non-root +USER 1001 # Expose Web Interface port & Server port range EXPOSE 8000 @@ -47,7 +49,6 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper as crafty -USER crafty +# Start Crafty Commander through wrapper ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 852c9a80..4de61fd7 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -5,8 +5,6 @@ services: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index b40dd3d0..cefacb35 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,8 +5,6 @@ services: container_name: crafty_commander build: .. environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker_launcher.sh b/docker_launcher.sh index 7af8edbd..3eed33b8 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,15 +6,6 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi -# Set user/group permissions to env or default to image root -groupmod -g "${PGID}" -o crafty -sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd - -# Apply new permissions taken from env over working dirs -chown -R crafty:crafty \ - /commander/ \ - /commander-venv/ - # Activate our prepared venv and launch crafty with provided args . /commander-venv/bin/activate exec python3 main.py $@ From 326f5aa78d93e26a31cc2836561a8e6c4a3b4dd4 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Tue, 1 Mar 2022 20:14:53 +0000 Subject: [PATCH 08/19] Revert my last commit --- Dockerfile | 23 ++++++++++++----------- docker-compose.yml.example | 2 -- docker/docker-compose.yml | 2 -- docker_launcher.sh | 9 --------- 4 files changed, 12 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index e798a102..474fd3ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,9 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages, Dependencies and Setup user +# Install Packages and Setup Dependencies in venv COPY requirements.txt /commander-venv/requirements.txt -RUN groupadd -g "${PGID:-0}" -o crafty \ - && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ - && apt-get update \ +RUN apt-get update \ && apt-get -y --no-install-recommends install \ gcc \ python3 \ @@ -30,16 +28,20 @@ RUN groupadd -g "${PGID:-0}" -o crafty \ && . /commander-venv/bin/activate \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ - && deactivate \ - && chown -R crafty:crafty /commander-venv + && deactivate -# Copy Source & copy default config from image +# Copy Source and prepare config if needed, Then apply permissions. COPY ./ /commander WORKDIR /commander RUN mv ./app/config ./app/config_original \ && mv ./app/config_original/default.json.example ./app/config_original/default.json \ - && chown -R crafty:crafty /commander \ - && chmod +x ./docker_launcher.sh + && chown -R 1001:0 /commander /commander-venv \ + && chmod -R g=u /commander /commander-venv \ + && chmod +x ./docker_launcher.sh \ + && chmod 775 /commander /commander-venv + +# Switch user to non-root +USER 1001 # Expose Web Interface port & Server port range EXPOSE 8000 @@ -47,7 +49,6 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper as crafty -USER crafty +# Start Crafty Commander through wrapper ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 852c9a80..4de61fd7 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -5,8 +5,6 @@ services: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index b40dd3d0..cefacb35 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,8 +5,6 @@ services: container_name: crafty_commander build: .. environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker_launcher.sh b/docker_launcher.sh index 7af8edbd..3eed33b8 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,15 +6,6 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi -# Set user/group permissions to env or default to image root -groupmod -g "${PGID}" -o crafty -sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd - -# Apply new permissions taken from env over working dirs -chown -R crafty:crafty \ - /commander/ \ - /commander-venv/ - # Activate our prepared venv and launch crafty with provided args . /commander-venv/bin/activate exec python3 main.py $@ From 53b2b2ed4ba7eeaa5938e9bbd811b5f73555fd7a Mon Sep 17 00:00:00 2001 From: Zedifus Date: Tue, 1 Mar 2022 20:20:17 +0000 Subject: [PATCH 09/19] Revert my last commit correctly Man these are so getting squashed --- Dockerfile | 23 +++++++++++------------ docker-compose.yml.example | 2 ++ docker/docker-compose.yml | 2 ++ docker_launcher.sh | 9 +++++++++ 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 474fd3ef..e798a102 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,9 +7,11 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages and Setup Dependencies in venv +# Install Packages, Dependencies and Setup user COPY requirements.txt /commander-venv/requirements.txt -RUN apt-get update \ +RUN groupadd -g "${PGID:-0}" -o crafty \ + && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ + && apt-get update \ && apt-get -y --no-install-recommends install \ gcc \ python3 \ @@ -28,20 +30,16 @@ RUN apt-get update \ && . /commander-venv/bin/activate \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ - && deactivate + && deactivate \ + && chown -R crafty:crafty /commander-venv -# Copy Source and prepare config if needed, Then apply permissions. +# Copy Source & copy default config from image COPY ./ /commander WORKDIR /commander RUN mv ./app/config ./app/config_original \ && mv ./app/config_original/default.json.example ./app/config_original/default.json \ - && chown -R 1001:0 /commander /commander-venv \ - && chmod -R g=u /commander /commander-venv \ - && chmod +x ./docker_launcher.sh \ - && chmod 775 /commander /commander-venv - -# Switch user to non-root -USER 1001 + && chown -R crafty:crafty /commander \ + && chmod +x ./docker_launcher.sh # Expose Web Interface port & Server port range EXPOSE 8000 @@ -49,6 +47,7 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper +# Start Crafty Commander through wrapper as crafty +USER crafty ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 4de61fd7..852c9a80 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -5,6 +5,8 @@ services: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest environment: + - PGID=0 + - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index cefacb35..b40dd3d0 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,6 +5,8 @@ services: container_name: crafty_commander build: .. environment: + - PGID=0 + - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker_launcher.sh b/docker_launcher.sh index 3eed33b8..7af8edbd 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,6 +6,15 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi +# Set user/group permissions to env or default to image root +groupmod -g "${PGID}" -o crafty +sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd + +# Apply new permissions taken from env over working dirs +chown -R crafty:crafty \ + /commander/ \ + /commander-venv/ + # Activate our prepared venv and launch crafty with provided args . /commander-venv/bin/activate exec python3 main.py $@ From 876d178daa43dcdc6c287b3859476cd18529d641 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 05:11:11 +0000 Subject: [PATCH 10/19] Add config and import dirs, so perms dont go funky --- docker/config/.gitkeep | 0 docker/import/.gitkeep | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docker/config/.gitkeep create mode 100644 docker/import/.gitkeep diff --git a/docker/config/.gitkeep b/docker/config/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/docker/import/.gitkeep b/docker/import/.gitkeep new file mode 100644 index 00000000..e69de29b From c6b3210fdf67af35c1909a93775f3242ace9d7ac Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 05:16:45 +0000 Subject: [PATCH 11/19] Add final working docker config, root group --- Dockerfile | 37 ++++++++++++++++++++----------------- docker-compose.yml.example | 2 -- docker/docker-compose.yml | 2 -- docker_launcher.sh | 11 +---------- 4 files changed, 21 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index e798a102..d835958d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,13 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages, Dependencies and Setup user -COPY requirements.txt /commander-venv/requirements.txt -RUN groupadd -g "${PGID:-0}" -o crafty \ - && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ - && apt-get update \ +# Create non-root user & required dirs +RUN useradd -M crafty \ + && mkdir /commander \ + && chown -R crafty:root /commander + +# Install required system packages +RUN apt-get update \ && apt-get -y --no-install-recommends install \ gcc \ python3 \ @@ -25,20 +27,22 @@ RUN groupadd -g "${PGID:-0}" -o crafty \ openjdk-16-jre-headless \ openjdk-17-jre-headless \ && apt-get autoremove \ - && apt-get clean \ - && python3 -m venv /commander-venv/ \ - && . /commander-venv/bin/activate \ - && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ - && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ - && deactivate \ - && chown -R crafty:crafty /commander-venv + && apt-get clean -# Copy Source & copy default config from image -COPY ./ /commander +# Switch to service user for installing crafty deps +USER crafty WORKDIR /commander +COPY --chown=crafty:root requirements.txt ./ +RUN python3 -m venv ./.venv \ + && . .venv/bin/activate \ + && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ + && pip3 install --no-cache-dir -r requirements.txt \ + && deactivate + +# Copy Source w/ perms & prepare default config from example +COPY --chown=crafty:root ./ ./ RUN mv ./app/config ./app/config_original \ && mv ./app/config_original/default.json.example ./app/config_original/default.json \ - && chown -R crafty:crafty /commander \ && chmod +x ./docker_launcher.sh # Expose Web Interface port & Server port range @@ -47,7 +51,6 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper as crafty -USER crafty +# Start Crafty Commander through wrapper ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 852c9a80..4de61fd7 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -5,8 +5,6 @@ services: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index b40dd3d0..cefacb35 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,8 +5,6 @@ services: container_name: crafty_commander build: .. environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker_launcher.sh b/docker_launcher.sh index 7af8edbd..34dacd88 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,15 +6,6 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi -# Set user/group permissions to env or default to image root -groupmod -g "${PGID}" -o crafty -sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd - -# Apply new permissions taken from env over working dirs -chown -R crafty:crafty \ - /commander/ \ - /commander-venv/ - # Activate our prepared venv and launch crafty with provided args -. /commander-venv/bin/activate +. .venv/bin/activate exec python3 main.py $@ From e2f226a6c33542b6f1ff2247a2e4cee34b8f6c87 Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 2 Mar 2022 08:10:49 -0500 Subject: [PATCH 12/19] Attempted fix for daemon sigterm by accepting all args in the sigterm handler --- main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.py b/main.py index e86c5153..f7919337 100644 --- a/main.py +++ b/main.py @@ -151,7 +151,7 @@ if __name__ == '__main__': project_root = os.path.dirname(__file__) controller.set_project_root(project_root) - def sigterm_handler(): + def sigterm_handler(*args): print() # for newline logger.info("Recieved SIGTERM, stopping Crafty") console.info("Recieved SIGTERM, stopping Crafty") From e711856cc984541aab241e122ca8d547f964d839 Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 2 Mar 2022 08:12:03 -0500 Subject: [PATCH 13/19] Remove docker exemption from root check --- main.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/main.py b/main.py index f7919337..83d68352 100644 --- a/main.py +++ b/main.py @@ -7,14 +7,11 @@ import logging.config import signal from app.classes.shared.console import console from app.classes.shared.helpers import helper -if helper.check_file_exists('/.dockerenv'): - console.cyan("Docker environment detected!") -else: - if helper.checkRoot(): - console.critical("Root detected. Root/Admin access denied. Run Crafty again with non-elevated permissions.") - time.sleep(5) - console.critical("Crafty shutting down. Root/Admin access denied.") - sys.exit(0) +if helper.checkRoot(): + console.critical("Root detected. Root/Admin access denied. Run Crafty again with non-elevated permissions.") + time.sleep(5) + console.critical("Crafty shutting down. Root/Admin access denied.") + sys.exit(0) # pylint: disable=wrong-import-position from app.classes.shared.main_models import installer, database from app.classes.shared.tasks import TasksManager From 7be5cfa449ddef0af83f822741c7a5fbf01b52dd Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 13:28:36 +0000 Subject: [PATCH 14/19] Fix config check in wrapper .gitkeep was making the wrapper think config was present on fresh boot.. Whoops! --- docker_launcher.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker_launcher.sh b/docker_launcher.sh index 34dacd88..08fc81cc 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -1,7 +1,7 @@ #!/bin/sh # Check if config exists from existing installation (venv or previous docker launch) -if [ ! "$(ls -A ./app/config)" ]; then +if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then mkdir ./app/config/ cp -r ./app/config_original/* ./app/config/ fi From 8f0ac0d025c22cf065de533cf1458344dd6e0f52 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 16:22:53 +0000 Subject: [PATCH 15/19] Fix permissions setting on bedrock imports This is not an issue on java as we dont need the execute perm on .jar's Requires to be prefix'd octal intager for mask not decimal --- app/classes/shared/main_controller.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/classes/shared/main_controller.py b/app/classes/shared/main_controller.py index e6c7eb6c..aa025dcf 100644 --- a/app/classes/shared/main_controller.py +++ b/app/classes/shared/main_controller.py @@ -440,7 +440,7 @@ class Controller: new_id = self.register_server(server_name, server_id, new_server_dir, backup_path, server_command, server_exe, server_log_file, server_stop, port, server_type='minecraft-bedrock') - os.chmod(full_jar_path, 2775) + os.chmod(full_jar_path, 0o2775) return new_id def import_bedrock_zip_server(self, server_name: str, zip_path: str, server_exe: str, port: int): @@ -484,7 +484,7 @@ class Controller: new_id = self.register_server(server_name, server_id, new_server_dir, backup_path, server_command, server_exe, server_log_file, server_stop, port, server_type='minecraft-bedrock') - os.chmod(full_jar_path, 2775) + os.chmod(full_jar_path, 0o2775) return new_id #************************************************************************************************ From a871e099942a1eca06176b3c61990ad045c6036b Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 16:44:30 +0000 Subject: [PATCH 16/19] Appease lint User args for something --- main.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.py b/main.py index 83d68352..8bd7bb1f 100644 --- a/main.py +++ b/main.py @@ -150,8 +150,8 @@ if __name__ == '__main__': def sigterm_handler(*args): print() # for newline - logger.info("Recieved SIGTERM, stopping Crafty") - console.info("Recieved SIGTERM, stopping Crafty") + logger.info(f"Recieved SIGINT [{args[0]}], stopping Crafty...") + console.info(f"Recieved SIGINT [{args[0]}], stopping Crafty...") tasks_manager._main_graceful_exit() Crafty.universal_exit() @@ -162,8 +162,8 @@ if __name__ == '__main__': Crafty.cmdloop() except KeyboardInterrupt: print() # for newline - logger.info("Recieved SIGINT, stopping Crafty") - console.info("Recieved SIGINT, stopping Crafty") + logger.info(f"Recieved SIGINT, stopping Crafty...") + console.info(f"Recieved SIGINT, stopping Crafty...") tasks_manager._main_graceful_exit() Crafty.universal_exit() else: @@ -174,8 +174,8 @@ if __name__ == '__main__': break time.sleep(1) except KeyboardInterrupt: - logger.info("Recieved SIGINT, stopping Crafty") - console.info("Recieved SIGINT, stopping Crafty") + logger.info(f"Recieved SIGINT, stopping Crafty...") + console.info(f"Recieved SIGINT, stopping Crafty...") break tasks_manager._main_graceful_exit() Crafty.universal_exit() From 3e39463e27861a4b97b9f163c18b2518d9e21a3a Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 16:50:44 +0000 Subject: [PATCH 17/19] Fix sighandler args > sig, args defined elsewhere --- main.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/main.py b/main.py index 8bd7bb1f..9712f0d6 100644 --- a/main.py +++ b/main.py @@ -148,10 +148,10 @@ if __name__ == '__main__': project_root = os.path.dirname(__file__) controller.set_project_root(project_root) - def sigterm_handler(*args): + def sigterm_handler(*sig): print() # for newline - logger.info(f"Recieved SIGINT [{args[0]}], stopping Crafty...") - console.info(f"Recieved SIGINT [{args[0]}], stopping Crafty...") + logger.info(f"Recieved SIGINT [{sig[0]}], stopping Crafty...") + console.info(f"Recieved SIGINT [{sig[0]}], stopping Crafty...") tasks_manager._main_graceful_exit() Crafty.universal_exit() @@ -162,8 +162,8 @@ if __name__ == '__main__': Crafty.cmdloop() except KeyboardInterrupt: print() # for newline - logger.info(f"Recieved SIGINT, stopping Crafty...") - console.info(f"Recieved SIGINT, stopping Crafty...") + logger.info("Recieved SIGINT, stopping Crafty...") + console.info("Recieved SIGINT, stopping Crafty...") tasks_manager._main_graceful_exit() Crafty.universal_exit() else: @@ -174,8 +174,8 @@ if __name__ == '__main__': break time.sleep(1) except KeyboardInterrupt: - logger.info(f"Recieved SIGINT, stopping Crafty...") - console.info(f"Recieved SIGINT, stopping Crafty...") + logger.info("Recieved SIGINT, stopping Crafty...") + console.info("Recieved SIGINT, stopping Crafty...") break tasks_manager._main_graceful_exit() Crafty.universal_exit() From ef37afd6302d3aca4e7533dabef41b4601cd1180 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 2 Mar 2022 19:27:42 +0000 Subject: [PATCH 18/19] Update documentation for docker updates --- README.md | 73 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 56 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index d7fb8648..f3fbb16a 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ a web interface for the server administrators to interact with their servers. Cr is compatible with Docker, Linux, Windows 7, Windows 8 and Windows 10. ## Documentation -Temporary documentation available on [GitLab](https://gitlab.com/crafty-controller/crafty-commander/wikis/home) +Documentation available on [wiki.craftycontrol.com](https://craftycontrol.com) ## Meta Project Homepage - https://craftycontrol.com @@ -17,15 +17,33 @@ Discord Server - https://discord.gg/9VJPhCE Git Repository - https://gitlab.com/crafty-controller/crafty-web -## Basic Docker Usage +
-**To get started with docker**, all you need to do is pull the image from this git repository's registry. -This is done by using `docker-compose` or `docker run`(You don't need to clone the Repository and build, like in 3.x ). +## Basic Docker Usage 🐳 -If you have a config folder already from previous local installation or docker setup, the image should mount this volume, if none is present then it will populate its own config folder for you. +With `Crafty Controller 4.0` we have focused on building our DevOps Principles, implementing build automation, and securing our containers, with the hopes of making our Container user's lives abit easier. -### Using the registry image: -The provided image supports both `arm64` and `amd64` out the box, if you have issues though you can build it yourself. +### - Two big changes you will notice is: +- We now provide pre-built images for you guys. +- Containers now run as non-root, using practices used by OpenSwift & Kubernetes (root group perms). + + +---- + +### - To get started with docker πŸ›« +All you need to do is pull the image from this git repository's registry. +This is done by using `'docker-compose'` or `'docker run'` (You don't need to clone the Repository and build, like in 3.x ). + +If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume, if no config present then it will populate its own config folder for you.

+As the Dockerfile uses the permission structure of `crafty:root` **internally** there is no need to worry about matching the `UID` or `GID` on the host system :) +> ***Make sure the ownership permissions on `servers/ backups/ logs/ configs/ imports/` in the `docker/` are not `root:root`, please just chown the dir recursively to your host user.** + +> **Please make sure if you are using a `compose` file, that the above volume mount directories are present, otherwise, docker will just make them and they'll be `root:root` which is not what we want.πŸ’€** + +
+ +### - Using the registry image 🌎 +The provided image supports both `arm64` and `amd64` out the box, if you have issues though you can build it yourself with the `compose` file in `docker/`. The image is located at: `registry.gitlab.com/crafty-controller/crafty-commander:latest` | Branch | Status | @@ -50,13 +68,20 @@ or ```bash $ echo | docker login registry.gitlab.com -u --password-stdin ``` -or +or ```bash $ cat ~/my_password.txt | docker login registry.gitlab.com -u --password-stdin ``` Then use one of the following methods: -#### docker-compose.yml +### **docker-compose.yml:** +```sh +# We need to make them because of permissions remember! +$ mkdir docker/backups docker/logs docker/servers docker/config docker/import + +# Make your compose file +$ vim docker-compose.yml +``` ```yml version: '3' @@ -64,40 +89,52 @@ services: crafty: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest + environment: + - TZ=Etc/UTC ports: - "8000:8000" # HTTP - "8443:8443" # HTTPS - "8123:8123" # DYNMAP - "19132:19132/udp" # BEDROCK - - "24000-25600:24000-25600" # MC SERV PORT RANGE + - "25500-25600:25500-25600" # MC SERV PORT RANGE volumes: - ./docker/backups:/commander/backups - ./docker/logs:/commander/logs - ./docker/servers:/commander/servers - ./docker/config:/commander/app/config + - ./docker/import:/commander/import ``` - -#### docker run ```sh +$ docker-compose up -d && docker-compose logs -f +``` +
+ +### **docker run:** +```sh +# We need to make them because of permissions remember! +$ mkdir docker/backups docker/logs docker/servers docker/config docker/import + $ docker run \ --name crafty_commander \ -p 8000:8000 \ -p 8443:8443 \ -p 8123:8123 \ -p 19132:19132/udp \ - -p 24000-25600:24000-25600 \ + -p 25500-25600:25500-25600 \ + -e TZ=Etc/UTC \ -v "/$(pwd)/docker/backups:/commander/backups" \ -v "/$(pwd)/docker/logs:/commander/logs" \ -v "/$(pwd)/docker/servers:/commander/servers" \ -v "/$(pwd)/docker/config:/commander/app/config" \ + -v "/$(pwd)/docker/import:/commander/import" \ registry.gitlab.com/crafty-controller/crafty-commander:latest ``` -### Building from the cloned repository: +### **Building from the cloned repository:** If you are building from `docker-compose` you can find the compose file in `./docker/docker-compose.yml` just `cd` to the docker directory and `docker-compose up -d` -If you'd rather not use `docker-compose` you can use the following `docker run`in the directory where the *Dockerfile* is: +If you'd rather not use `docker-compose` you can use the following `docker run` in the directory where the *Dockerfile* is: ```sh # REMEMBER, Build your image first! $ docker build . -t crafty @@ -108,11 +145,13 @@ $ docker run \ -p 8443:8443 \ -p 8123:8123 \ -p 19132:19132/udp \ - -p 24000-25600:24000-25600 \ + -p 25500-25600:25500-25600 \ + -e TZ=Etc/UTC \ -v "/$(pwd)/docker/backups:/commander/backups" \ -v "/$(pwd)/docker/logs:/commander/logs" \ -v "/$(pwd)/docker/servers:/commander/servers" \ -v "/$(pwd)/docker/config:/commander/app/config" \ + -v "/$(pwd)/docker/import:/commander/import" \ crafty ``` -A fresh build will take several minutes depending on your system, but will be rapid there after. +A fresh build will take several minutes depending on your system, but will be rapid thereafter. From 82cbd4d9bc5d5c33850acdf408d92c4102496310 Mon Sep 17 00:00:00 2001 From: Iain Powrie Date: Wed, 2 Mar 2022 21:16:40 +0000 Subject: [PATCH 19/19] Documentation/docker warnings --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f3fbb16a..d5e8ccf4 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,11 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles, - Containers now run as non-root, using practices used by OpenSwift & Kubernetes (root group perms). +> __**⚠ πŸ”»WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]πŸ”»**__
+ BE ADVISED! Upstream is currently broken for Minecraft running on **Docker under WSL/WSL2, Windows 11 / DOCKER DESKTOP!**
+ On '**Stop**' or '**Restart**' of the MC Server, there is a 90% chance the World's Chunks will be shredded irreparably!
+ Please only run Docker on Linux, If you are using Windows we have a portable installs found here: [Latest-Stable](https://gitlab.com/crafty-controller/crafty-commander/-/jobs/artifacts/master/download?job=win-prod-build), [Latest-Development](https://gitlab.com/crafty-controller/crafty-commander/-/jobs/artifacts/dev/download?job=win-dev-build) + ---- ### - To get started with docker πŸ›« @@ -77,7 +82,7 @@ Then use one of the following methods: ### **docker-compose.yml:** ```sh # We need to make them because of permissions remember! -$ mkdir docker/backups docker/logs docker/servers docker/config docker/import +$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import # Make your compose file $ vim docker-compose.yml @@ -112,7 +117,7 @@ $ docker-compose up -d && docker-compose logs -f ### **docker run:** ```sh # We need to make them because of permissions remember! -$ mkdir docker/backups docker/logs docker/servers docker/config docker/import +$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import $ docker run \ --name crafty_commander \