From 98c0c403c9ee13aad9e87c9f13c9d0f170649268 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Mon, 28 Feb 2022 20:01:14 +0000 Subject: [PATCH] Investigating a different approach of non root These commits are 100% getting squashed. Just got to test this on my production machine. Definitely not sure if this is the right way of doing it experimenting. --- Dockerfile | 23 ++++++++++++----------- docker-compose.yml.example | 2 -- docker/docker-compose.yml | 2 -- docker_launcher.sh | 9 --------- 4 files changed, 12 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index e798a102..474fd3ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,9 @@ LABEL maintainer="Dockerfile created by Zedifus " # Security Patch for CVE-2021-44228 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# Install Packages, Dependencies and Setup user +# Install Packages and Setup Dependencies in venv COPY requirements.txt /commander-venv/requirements.txt -RUN groupadd -g "${PGID:-0}" -o crafty \ - && useradd -g "${PGID:-0}" -u "${PUID:-0}" -o crafty \ - && apt-get update \ +RUN apt-get update \ && apt-get -y --no-install-recommends install \ gcc \ python3 \ @@ -30,16 +28,20 @@ RUN groupadd -g "${PGID:-0}" -o crafty \ && . /commander-venv/bin/activate \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r /commander-venv/requirements.txt \ - && deactivate \ - && chown -R crafty:crafty /commander-venv + && deactivate -# Copy Source & copy default config from image +# Copy Source and prepare config if needed, Then apply permissions. COPY ./ /commander WORKDIR /commander RUN mv ./app/config ./app/config_original \ && mv ./app/config_original/default.json.example ./app/config_original/default.json \ - && chown -R crafty:crafty /commander \ - && chmod +x ./docker_launcher.sh + && chown -R 1001:0 /commander /commander-venv \ + && chmod -R g=u /commander /commander-venv \ + && chmod +x ./docker_launcher.sh \ + && chmod 775 /commander /commander-venv + +# Switch user to non-root +USER 1001 # Expose Web Interface port & Server port range EXPOSE 8000 @@ -47,7 +49,6 @@ EXPOSE 8443 EXPOSE 19132 EXPOSE 25500-25600 -# Start Crafty Commander through wrapper as crafty -USER crafty +# Start Crafty Commander through wrapper ENTRYPOINT ["/commander/docker_launcher.sh"] CMD ["-v", "-d", "-i"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example index 852c9a80..4de61fd7 100644 --- a/docker-compose.yml.example +++ b/docker-compose.yml.example @@ -5,8 +5,6 @@ services: container_name: crafty_commander image: registry.gitlab.com/crafty-controller/crafty-commander:latest environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index b40dd3d0..cefacb35 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,8 +5,6 @@ services: container_name: crafty_commander build: .. environment: - - PGID=0 - - PUID=0 - TZ=Etc/UTC ports: - "8000:8000" # HTTP diff --git a/docker_launcher.sh b/docker_launcher.sh index 7af8edbd..3eed33b8 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -6,15 +6,6 @@ if [ ! "$(ls -A ./app/config)" ]; then cp -r ./app/config_original/* ./app/config/ fi -# Set user/group permissions to env or default to image root -groupmod -g "${PGID}" -o crafty -sed -i -E "s/^(crafty:x):[0-9]+:[0-9]+:(.*)/\\1:$PUID:$PGID:\\2/" /etc/passwd - -# Apply new permissions taken from env over working dirs -chown -R crafty:crafty \ - /commander/ \ - /commander-venv/ - # Activate our prepared venv and launch crafty with provided args . /commander-venv/bin/activate exec python3 main.py $@