meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Merge pull request #145 from linuxserver/edge-custom-rework

Browse source
This commit is contained in:
Adam 2022-09-09 22:09:02 +01:00 committed by GitHub
parent cab3eeadd4 b21fa71c22
commit 083ad3333e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 130 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
root/docker-mods
View file

@ -1,6 +1,12 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash
# Define custom folder paths
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
# Set executable bit on cont-init and services built into the image
set_legacy_executable_bits() {
mkdir -p /etc/{cont-init.d,services.d}
@ -10,67 +16,57 @@ set_legacy_executable_bits() {
}
tamper_check() {
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
#Tamper check custom service locations
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
#Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
}
tamper_check_legacy() {
# Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
echo "[custom-init] **** Potential tampering with custom scripts detected ****"
randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
echo
)
mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p ${SCRIPTS_DIR_OLD}
chown 0:0 ${SCRIPTS_DIR_OLD}
echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
# Tamper check custom service locations
if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
echo "[custom-init] **** Potential tampering with custom scripts detected ****"
randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
echo
)
mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
echo "**** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
echo "**** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p ${SERVICES_DIR_OLD}
chown 0:0 ${SERVICES_DIR_OLD}
echo "[custom-init] **** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
echo "**** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} ! -user root)" ]]; then
echo "**** The folder '${SERVICES_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SERVICES_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
}
# Process Custom Services
process_custom_services() {
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
@ -78,15 +74,9 @@ process_custom_services() {
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
fi
if [[ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]] &&
[[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] no custom services found, skipping..."
return
fi
# Make sure custom service directory exists and has files in it
if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then
echo "[custom-init] service files found in ${SERVICES_DIR}"
echo "[custom-init] Service files found in ${SERVICES_DIR}"
for SERVICE in "${SERVICES_DIR}"/*; do
NAME="$(basename "${SERVICE}")"
if [[ -f "${SERVICE}" ]]; then
@ -102,10 +92,29 @@ process_custom_services() {
echo "[custom-init] ${NAME}: is not a file"
fi
done
else
echo "[custom-init] No custom services found, skipping..."
fi
# Remove legacy folder if it's empty
if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..."
rm -rf "${SERVICES_DIR_OLD}"
fi
}
process_custom_services_legacy() {
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
fi
# Make sure custom service directory exists and has files in it
if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
echo "[custom-init] Service files found in ${SERVICES_DIR_OLD}"
for SERVICE in "${SERVICES_DIR_OLD}"/*; do
NAME="$(basename "${SERVICE}")"
if [[ -f "${SERVICE}" ]]; then
@ -121,6 +130,14 @@ process_custom_services() {
echo "[custom-init] ${NAME}: is not a file"
fi
done
else
echo "[custom-init] No custom services found, skipping..."
fi
# Remove legacy folder if it's empty
if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..."
rm -rf "${SERVICES_DIR_OLD}"
fi
}
@ -130,6 +147,7 @@ curl_check() {
echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
if [[ -f /usr/bin/apt ]]; then
## Ubuntu
export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install --no-install-recommends -y \
curl \
@ -250,11 +268,17 @@ run_mods() {
done
}
# Tamper check legacy services
tamper_check
# Main script loop
# Process any custom services
process_custom_services
if [ ! -d "${SCRIPTS_DIR}" ] && [ ! -d "${SERVICES_DIR}" ]; then
# Tamper check legacy custom folders
tamper_check_legacy
process_custom_services_legacy
else
# Tamper check new custom folders
tamper_check
process_custom_services
fi
# Run mod logic
if [[ -n "${DOCKER_MODS+x}" ]]; then

23
root/etc/s6-overlay/s6-rc.d/init-custom-files/run
View file

@ -17,15 +17,9 @@ if [[ -e "${SERVICES_DIR_OLD}" ]]; then
chown -R 0:0 "${SERVICES_DIR_OLD}"
fi
if [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]] &&
[[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] no custom files found, skipping..."
exit 0
fi
# Make sure custom init directory exists and has files in it
if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then
echo "[custom-init] files found, executing"
echo "[custom-init] Files found, executing"
for SCRIPT in "${SCRIPTS_DIR}"/*; do
NAME="$(basename "${SCRIPT}")"
if [[ -f "${SCRIPT}" ]]; then
@ -36,10 +30,14 @@ if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)"
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] files found, executing"
# Remove legacy folder if it's empty
if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] Legacy files folder ${SCRIPTS_DIR_OLD} is empty, deleting..."
rm -rf "${SCRIPTS_DIR_OLD}"
fi
elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] Files found, executing"
for SCRIPT in "${SCRIPTS_DIR_OLD}"/*; do
NAME="$(basename "${SCRIPT}")"
if [[ -f "${SCRIPT}" ]]; then
@ -50,4 +48,9 @@ if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/de
echo "[custom-init] ${NAME}: is not a file"
fi
done
elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
echo "[custom-init] Legacy files folder ${SCRIPTS_DIR_OLD} is empty, deleting..."
rm -rf "${SCRIPTS_DIR_OLD}"
else
echo "[custom-init] No custom files found, skipping..."
fi

50
root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run
View file

@ -2,33 +2,41 @@
# shellcheck shell=bash
if [[ -f "/mod-repo-packages-to-install.list" ]]; then
echo "**** Installing all mod packages ****"
if [[ -f /usr/bin/apt ]]; then
export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install -y --no-install-recommends \
"$(cat /mod-repo-packages-to-install.list)"
elif [[ -f /sbin/apk ]]; then
apk add --no-cache \
"$(cat /mod-repo-packages-to-install.list)"
IFS=' ' read -ra REPO_PACKAGES <<< "$(tr '\n' ' ' < /mod-repo-packages-to-install.list)"
if [[ ${#REPO_PACKAGES[@]} -ne 0 ]] && [[ ${REPO_PACKAGES[*]} != "" ]]; then
echo "[mod-init] **** Installing all mod packages ****"
if [[ -f /usr/bin/apt ]]; then
export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install -y --no-install-recommends \
"${REPO_PACKAGES[@]}"
elif [[ -f /sbin/apk ]]; then
apk add --no-cache \
"${REPO_PACKAGES[@]}"
fi
fi
fi
if [[ -f "/mod-pip-packages-to-install.list" ]]; then
echo "**** Installing all pip packages ****"
python3 -m pip install -U pip wheel setuptools
if [[ -f /usr/bin/apt ]]; then
PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/"
elif [[ -f /sbin/apk ]]; then
ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||')
if [[ "${ALPINE_VER}" = "3.14" ]]; then
PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/"
else
PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/"
IFS=' ' read -ra PIP_PACKAGES <<< "$(tr '\n' ' ' < /mod-pip-packages-to-install.list)"
if [[ ${#PIP_PACKAGES[@]} -ne 0 ]] && [[ ${PIP_PACKAGES[*]} != "" ]]; then
echo "[mod-init] **** Installing all pip packages ****"
python3 -m pip install -U pip wheel setuptools
PIP_ARGS=()
if [[ -f /usr/bin/apt ]]; then
PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/ubuntu/")
elif [[ -f /sbin/apk ]]; then
ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||')
if [[ "${ALPINE_VER}" = "3.14" ]]; then
PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/alpine/")
else
PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/")
fi
fi
python3 -m pip install \
"${PIP_ARGS[@]}" \
"${PIP_PACKAGES[@]}"
fi
python3 -m pip install "${PIP_ARGS}" \
"$(cat /mod-pip-packages-to-install.list)"
fi
rm -rf \

28
root/etc/s6-overlay/s6-rc.d/init-script-check/run
View file

@ -4,20 +4,20 @@
if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] ||
[[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then
cat << EOF | tee {/config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt} 2>/dev/null
********************************************************
********************************************************
* *
* !!!! *
* Custom scripts or services found in legacy locations *
* !!!! *
* Please move your custom scripts and services *
* to /custom-cont-init.d and /custom-services.d *
* respectively to ensure they continue working. *
* *
* Visit https://linuxserver.io/custom for more info. *
* *
********************************************************
********************************************************
********************************************************
********************************************************
* *
* !!!! *
* Custom scripts or services found in legacy locations *
* !!!! *
* Please move your custom scripts and services *
* to /custom-cont-init.d and /custom-services.d *
* respectively to ensure they continue working. *
* *
* Visit https://linuxserver.io/custom for more info. *
* *
********************************************************
********************************************************
EOF
fi
exit 0