Fully v3ify edge image (#120)

Co-authored-by: Eric Nemchik <eric@nemchik.com>

.editorconfig

@@ -15,6 +15,6 @@ trim_trailing_whitespace = false
 indent_style = space
 indent_size = 2
 
-[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}]
+[{**.sh,root/docker-mods,root/etc/s6-overlay/s6-rc.d/**,root/etc/cont-init.d/**,root/etc/services.d/**}]
 indent_style = space
 indent_size = 4

Dockerfile

@@ -36,7 +36,7 @@ RUN \
   sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow
 
 # set version for s6 overlay
-ARG S6_OVERLAY_VERSION="3.1.0.1"
+ARG S6_OVERLAY_VERSION="3.1.2.0"
 ARG S6_OVERLAY_ARCH="x86_64"
 
 # add s6 overlay
@@ -51,13 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp
 RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz
 
-# copy ci-checks
-COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d
-
-# patch cont-init for docker-mods
-COPY patch/ /tmp/patch
-RUN  patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch
-
 # Runtime stage
 FROM scratch
 COPY --from=rootfs-stage /root-out/ /
@@ -70,7 +63,9 @@ LABEL maintainer="TheLamer"
 ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \
 HOME="/root" \
 TERM="xterm" \
-S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0"
+S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \
+S6_VERBOSITY=1 \
+S6_STAGE2_HOOK=/docker-mods
 
 RUN \
   echo "**** install runtime packages ****" && \

Dockerfile.aarch64

@@ -36,7 +36,7 @@ RUN \
   sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow
 
 # set version for s6 overlay
-ARG S6_OVERLAY_VERSION="3.1.0.1"
+ARG S6_OVERLAY_VERSION="3.1.2.0"
 ARG S6_OVERLAY_ARCH="aarch64"
 
 # add s6 overlay
@@ -51,13 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp
 RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz
 
-# copy ci-checks
-COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d
-
-# patch cont-init for docker-mods
-COPY patch/ /tmp/patch
-RUN  patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch
-
 # Runtime stage
 FROM scratch
 COPY --from=rootfs-stage /root-out/ /
@@ -70,7 +63,9 @@ LABEL maintainer="TheLamer"
 ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \
 HOME="/root" \
 TERM="xterm" \
-S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0"
+S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \
+S6_VERBOSITY=1 \
+S6_STAGE2_HOOK=/docker-mods
 
 RUN \
   echo "**** install runtime packages ****" && \

Dockerfile.armhf

@@ -36,7 +36,7 @@ RUN \
   sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow
 
 # set version for s6 overlay
-ARG S6_OVERLAY_VERSION="3.1.0.1"
+ARG S6_OVERLAY_VERSION="3.1.2.0"
 ARG S6_OVERLAY_ARCH="armhf"
 
 # add s6 overlay
@@ -51,13 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp
 RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz
 
-# copy ci-checks
-COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d
-
-# patch cont-init for docker-mods
-COPY patch/ /tmp/patch
-RUN  patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch
-
 # Runtime stage
 FROM scratch
 COPY --from=rootfs-stage /root-out/ /
@@ -70,7 +63,9 @@ LABEL maintainer="TheLamer"
 ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \
 HOME="/root" \
 TERM="xterm" \
-S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0"
+S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \
+S6_VERBOSITY=1 \
+S6_STAGE2_HOOK=/docker-mods
 
 RUN \
   echo "**** install runtime packages ****" && \

patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch

@@ -1,11 +0,0 @@
---- rc.init	2022-05-20 17:41:11.195721000 -0500
-+++ rc.init.patched	2022-05-20 17:41:37.646586700 -0500
-@@ -6,6 +6,8 @@
-   s6-chmod 0755 /run/s6/container_environment
- fi
- 
-+/docker-mods
-+
- if profile=`printcontenv S6_RUNTIME_PROFILE` ; then
-   etc="/etc/cont-profile.d/$profile"
- else

root/docker-mods

@@ -1,147 +1,238 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Set executable bit on cont-init and services built into the image
 set_legacy_executable_bits() {
-  mkdir -p /etc/{cont-init.d,services.d}
-  chmod +x \
-    /etc/cont-init.d/* \
-    /etc/services.d/*/* 2> /dev/null || true
+    mkdir -p /etc/{cont-init.d,services.d}
+    chmod +x \
+        /etc/cont-init.d/* \
+        /etc/services.d/*/* 2>/dev/null || true
 }
-set_legacy_executable_bits
 
-# Exit if mods is not set
-if [ -z ${DOCKER_MODS+x} ]; then
-  exit 0
-fi
+# Tamper check custom service locations
+tamper_check() {
+    SERVICES_DIR_OLD="/config/custom-services.d"
+    SERVICES_DIR="/custom-services.d"  
+    if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
+        echo "**** Potential tampering with custom scripts detected ****"
+        randstr=$(
+            tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
+            echo
+        )
+        mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
+        echo "**** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
+        echo "**** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
+        mkdir -p ${SERVICES_DIR_OLD}
+        chown 0:0 ${SERVICES_DIR_OLD}
+    elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
+        echo "**** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} ! -user root)" ]]; then
+        echo "**** The folder '${SERVICES_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} -perm -o+w)" ]]; then
+        echo "**** The folder '${SERVICES_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+}
+
+# Process Custom Services
+process_custom_services() {
+    SERVICES_DIR_OLD="/config/custom-services.d"
+    SERVICES_DIR="/custom-services.d"
+
+    # Remove all existing custom services before continuing to ensure
+    # we aren't running anything the user may have removed
+    if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
+        echo "[custom-init] removing existing custom services..."
+        rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
+    fi
+
+    if [[ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]] &&
+        [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
+        echo "[custom-init] no custom services found, skipping..."
+        return
+    fi
+
+    # Make sure custom service directory exists and has files in it
+    if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then
+        echo "[custom-init] service files found in ${SERVICES_DIR}"
+        for SERVICE in "${SERVICES_DIR}"/*; do
+            NAME="$(basename "${SERVICE}")"
+            if [[ -f "${SERVICE}" ]]; then
+                echo "[custom-init] ${NAME}: service detected, copying..."
+                mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
+                cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
+                chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
+                echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
+                touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services
+                touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}"
+                echo "[custom-init] ${NAME}: copied"
+            elif [[ ! -f "${SERVICE}" ]]; then
+                echo "[custom-init] ${NAME}: is not a file"
+            fi
+        done
+    fi
+
+    if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
+        echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
+        for SERVICE in "${SERVICES_DIR_OLD}"/*; do
+            NAME="$(basename "${SERVICE}")"
+            if [[ -f "${SERVICE}" ]]; then
+                echo "[custom-init] ${NAME}: service detected, copying..."
+                mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
+                cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
+                chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
+                echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
+                touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services
+                touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}"
+                echo "[custom-init] ${NAME}: copied"
+            elif [[ ! -f "${SERVICE}" ]]; then
+                echo "[custom-init] ${NAME}: is not a file"
+            fi
+        done
+    fi
+}
 
 # Check for curl
-if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then
-  echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
-  if [ -f /usr/bin/apt ]; then
-    ## Ubuntu
-    apt-get update
-    apt-get install --no-install-recommends -y \
-      curl \
-      jq
-  elif [ -f /sbin/apk ]; then
-    # Alpine
-    apk add --no-cache \
-      curl \
-      jq
-  fi
-fi
-
-## Functions
+curl_check() {
+    if [[ ! -f /usr/bin/curl ]] || [[ ! -f /usr/bin/jq ]]; then
+        echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
+        if [[ -f /usr/bin/apt ]]; then
+            ## Ubuntu
+            apt-get update
+            apt-get install --no-install-recommends -y \
+                curl \
+                jq
+        elif [[ -f /sbin/apk ]]; then
+            # Alpine
+            apk add --no-cache \
+                curl \
+                jq
+        fi
+    fi
+}
 
 # Use different filtering depending on URL
-get_blob_sha () {
-  if [[ $1 == "ghcr" ]]; then
-    curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
-      --silent \
-      --location \
-      --request GET \
-      --header "Authorization: Bearer $2" \
-      $3 | jq -r '.layers[0].digest'
-  else
-    curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
-      --silent \
-      --location \
-      --request GET \
-      --header "Authorization: Bearer $2" \
-      $3 | jq -r '.fsLayers[0].blobSum'
-  fi
+get_blob_sha() {
+    if [[ $1 == "ghcr" ]]; then
+        curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
+            --silent \
+            --location \
+            --request GET \
+            --header "Authorization: Bearer $2" \
+            "$3" | jq -r '.layers[0].digest'
+    else
+        curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
+            --silent \
+            --location \
+            --request GET \
+            --header "Authorization: Bearer $2" \
+            "$3" | jq -r '.fsLayers[0].blobSum'
+    fi
 }
 
 # Main run logic
-echo "[mod-init] Attempting to run Docker Modification Logic"
-IFS='|'
-DOCKER_MODS=(${DOCKER_MODS})
-for DOCKER_MOD in "${DOCKER_MODS[@]}"; do
-  # Support alternative endpoints
-  if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then
-    DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}"
-    ENDPOINT="${DOCKER_MOD%%:*}"
-    USERNAME="${DOCKER_MOD%%/*}"
-    REPO="${ENDPOINT#*/}"
-    TAG="${DOCKER_MOD#*:}"
-    if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
-      TAG="latest"
-    fi
-    FILENAME="${USERNAME}.${REPO}.${TAG}"
-    AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
-    MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
-    BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
-    MODE="ghcr"
-  else
-    ENDPOINT="${DOCKER_MOD%%:*}"
-    USERNAME="${DOCKER_MOD%%/*}"
-    REPO="${ENDPOINT#*/}"
-    TAG="${DOCKER_MOD#*:}"
-    if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
-      TAG="latest"
-    fi
-    FILENAME="${USERNAME}.${REPO}.${TAG}"
-    AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
-    MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
-    BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
-    MODE="dockerhub"
-  fi
-  # Kill off modification logic if any of the usernames are banned
-  BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt)
-  IFS=$'\n'
-  BLACKLIST=(${BLACKLIST})
-  for BANNED in "${BLACKLIST[@]}"; do
-    if [ "${BANNED}" == "${USERNAME,,}" ]; then
-      if [ -z ${RUN_BANNED_MODS+x} ]; then
-        echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
-        exit 0
-      else
-        echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
-      fi
-    fi
-  done
-  echo "[mod-init] Applying ${DOCKER_MOD} files to container"
-  # Get Dockerhub token for api operations
-  TOKEN=\
-"$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
-    --silent \
-    --header 'GET' \
-    "${AUTH_URL}" \
-    | jq -r '.token' \
-  )"
-  # Determine first and only layer of image
-  SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
-  # Check if we have allready applied this layer
-  if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then
-    echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
-  else
-    # Download and extract layer to /
-    curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
-      --silent \
-      --location \
-      --request GET \
-      --header "Authorization: Bearer ${TOKEN}" \
-      "${BLOB_URL}${SHALAYER}" -o \
-      /modtarball.tar.xz
-    mkdir -p /tmp/mod
-    tar xzf /modtarball.tar.xz -C /tmp/mod
-    if [ -d /tmp/mod/etc/s6-overlay ]; then
-      if [ -d /tmp/mod/etc/cont-init.d ]; then
-        rm -rf /tmp/mod/etc/cont-init.d
-      fi
-      if [ -d /tmp/mod/etc/services.d ]; then
-        rm -rf /tmp/mod/etc/services.d
-      fi
-    fi
-    shopt -s dotglob
-    cp -R /tmp/mod/* /
-    shopt -u dotglob
-    rm -rf /tmp/mod
-    rm -rf /modtarball.tar.xz
-    echo ${SHALAYER} > "/${FILENAME}"
-    echo "[mod-init] ${DOCKER_MOD} applied to container"
-  fi
-done
+run_mods() {
+    echo "[mod-init] Attempting to run Docker Modification Logic"
+    for DOCKER_MOD in $(echo "${DOCKER_MODS}" | tr '|' '\n'); do
+        # Support alternative endpoints
+        if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then
+            DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}"
+            ENDPOINT="${DOCKER_MOD%%:*}"
+            USERNAME="${DOCKER_MOD%%/*}"
+            REPO="${ENDPOINT#*/}"
+            TAG="${DOCKER_MOD#*:}"
+            if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
+                TAG="latest"
+            fi
+            FILENAME="${USERNAME}.${REPO}.${TAG}"
+            AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
+            MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
+            BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
+            MODE="ghcr"
+        else
+            ENDPOINT="${DOCKER_MOD%%:*}"
+            USERNAME="${DOCKER_MOD%%/*}"
+            REPO="${ENDPOINT#*/}"
+            TAG="${DOCKER_MOD#*:}"
+            if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
+                TAG="latest"
+            fi
+            FILENAME="${USERNAME}.${REPO}.${TAG}"
+            AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
+            MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
+            BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
+            MODE="dockerhub"
+        fi
+        # Kill off modification logic if any of the usernames are banned
+        for BANNED in $(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt); do
+            if [[ "${BANNED,,}" == "${USERNAME,,}" ]]; then
+                if [[ -z ${RUN_BANNED_MODS+x} ]]; then
+                    echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
+                    return
+                else
+                    echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
+                fi
+            fi
+        done
+        echo "[mod-init] Applying ${DOCKER_MOD} files to container"
+        # Get Dockerhub token for api operations
+        TOKEN="$(
+            curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
+                --silent \
+                --header 'GET' \
+                "${AUTH_URL}" |
+                jq -r '.token'
+        )"
+        # Determine first and only layer of image
+        SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
+        # Check if we have allready applied this layer
+        if [[ -f "/${FILENAME}" ]] && [[ "${SHALAYER}" == "$(cat /"${FILENAME}")" ]]; then
+            echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
+        else
+            # Download and extract layer to /
+            curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
+                --silent \
+                --location \
+                --request GET \
+                --header "Authorization: Bearer ${TOKEN}" \
+                "${BLOB_URL}${SHALAYER}" -o \
+                /modtarball.tar.xz
+            mkdir -p /tmp/mod
+            tar xzf /modtarball.tar.xz -C /tmp/mod
+            if [[ -d /tmp/mod/etc/s6-overlay ]]; then
+                if [[ -d /tmp/mod/etc/cont-init.d ]]; then
+                    rm -rf /tmp/mod/etc/cont-init.d
+                fi
+                if [[ -d /tmp/mod/etc/services.d ]]; then
+                    rm -rf /tmp/mod/etc/services.d
+                fi
+            fi
+            shopt -s dotglob
+            cp -R /tmp/mod/* /
+            shopt -u dotglob
+            rm -rf /tmp/mod
+            rm -rf /modtarball.tar.xz
+            echo "${SHALAYER}" >"/${FILENAME}"
+            echo "[mod-init] ${DOCKER_MOD} applied to container"
+        fi
+    done
+}
 
-# Set executable bit on cont-init and services that may have been unpacked by mods
+# Tamper check legacy services
+tamper_check
+
+# Process any custom services
+process_custom_services
+
+# Run mod logic
+if [[ -n "${DOCKER_MODS+x}" ]]; then
+    curl_check
+    run_mods
+fi
+
+# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods
 set_legacy_executable_bits

root/etc/cont-init.d/01-envfile

@@ -1,16 +0,0 @@
-#! /bin/bash
-
-if [[ "$(ls /var/run/s6/container_environment/ | xargs)" == *"FILE__"* ]]; then
-  for FILENAME in /var/run/s6/container_environment/*; do
-    if [[ "${FILENAME##*/}" == "FILE__"* ]]; then
-      SECRETFILE=$(cat ${FILENAME})
-      if [[ -f ${SECRETFILE} ]]; then
-        FILESTRIP=${FILENAME//FILE__/}
-        cat ${SECRETFILE} > ${FILESTRIP}
-        echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}"
-      else
-        echo "[env-init] cannot find secret in ${FILENAME##*/}"
-      fi
-    fi
-  done
-fi

root/etc/cont-init.d/01-migrations

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-MIGRATIONS_DIR="/migrations"
-MIGRATIONS_HISTORY="/config/.migrations"
-
-echo "[migrations] started"
-
-if [ ! -d $MIGRATIONS_DIR ]; then
-  echo "[migrations] no migrations found"
-  exit
-fi
-
-for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do
-  NAME="$(basename "${MIGRATION}")"
-  if [ -f $MIGRATIONS_HISTORY ] && grep -Fxq "$NAME" $MIGRATIONS_HISTORY; then
-    echo "[migrations] ${NAME}: skipped"
-    continue
-  fi
-  echo "[migrations] ${NAME}: executing..."
-  chmod +x $MIGRATION
-  EXIT_CODE=$(/bin/bash ${MIGRATION}; echo $?)
-  if [ $EXIT_CODE -ne 0 ]; then
-    echo "[migrations] ${NAME}: failed with exit code $EXIT_CODE, contact support"
-    exit $EXIT_CODE
-  fi
-  echo $NAME >> $MIGRATIONS_HISTORY
-  echo "[migrations] ${NAME}: succeeded"
-done
-
-echo "[migrations] done"

root/etc/cont-init.d/02-tamper-check

@@ -1,18 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then
-    echo "**** Potential tampering with custom scripts/services detected ****"
-    randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
-    for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do
-        if [ -d "${folder}" ]; then
-            mv "${folder}" "${folder}.${randstr}"
-            echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****"
-        fi
-    done
-    echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-    mkdir -p /config/custom-cont-init.d /config/custom-services.d
-    chown 0:0 /config/custom-cont-init.d /config/custom-services.d
-elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
-    echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****"
-    echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****"
-fi

root/etc/cont-init.d/90-custom-folders

@@ -1,5 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# create custom folders and secure permissions
-mkdir -p /config/{custom-cont-init.d,custom-services.d}
-chown -R 0:0 /config/{custom-cont-init.d,custom-services.d}

root/etc/cont-init.d/99-custom-files

@@ -1,49 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-# Directories
-SCRIPTS_DIR="/config/custom-cont-init.d"
-SERVICES_DIR="/config/custom-services.d"
-
-# Remove all existing custom services before continuing to ensure
-# we aren't running anything the user may have removed
-if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then
-  echo "[custom-init] removing existing custom services..."
-  rm -rf /etc/services.d/custom-service-*
-fi
-
-# Make sure custom init directory exists and has files in it
-if ([ -e "${SCRIPTS_DIR}" ] && \
-   [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]) || \
-   ([ -e "${SERVICES_DIR}" ] && \
-   [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]); then
-    if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then
-      echo "[custom-init] files found in ${SCRIPTS_DIR} executing"
-      for SCRIPT in ${SCRIPTS_DIR}/*; do
-        NAME="$(basename "${SCRIPT}")"
-        if [ -f "${SCRIPT}" ]; then
-          echo "[custom-init] ${NAME}: executing..."
-          /bin/bash ${SCRIPT}
-          echo "[custom-init] ${NAME}: exited $?"
-        elif [ ! -f "${SCRIPT}" ]; then
-          echo "[custom-init] ${NAME}: is not a file"
-        fi
-      done
-    fi
-    if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then
-      echo "[custom-init] service files found in ${SERVICES_DIR}"
-      for SERVICE in ${SERVICES_DIR}/*; do
-        NAME="$(basename "${SERVICE}")"
-        if [ -f "${SERVICE}" ]; then
-          echo "[custom-init] ${NAME}: service detected, copying..."
-          mkdir -p /etc/services.d/custom-service-${NAME}/
-          cp ${SERVICE} /etc/services.d/custom-service-${NAME}/run
-          chmod +x /etc/services.d/custom-service-${NAME}/run
-          echo "[custom-init] ${NAME}: copied"
-        elif [ ! -f "${SERVICE}" ]; then
-          echo "[custom-init] ${NAME}: is not a file"
-        fi
-      done
-    fi
-else
-  echo "[custom-init] no custom files found exiting..."
-fi

root/etc/s6-overlay/s6-rc.d/init-adduser/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 PUID=${PUID:-911}
 PGID=${PGID:-911}
@@ -37,7 +38,7 @@ User gid:    $(id -g abc)
 time32="$(date +%Y)"
 
 if [[ "${time32}" == "1970" || "${time32}" == "1969" ]] && [ "$(uname -m)" == "armv7l" ]; then
-  echo '
+    echo '
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
 Your DockerHost is running an outdated version of libseccomp
@@ -48,7 +49,7 @@ Apps will not behave correctly without this
 
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 '
-sleep infinity
+    sleep infinity
 fi
 
 chown abc:abc /app

root/etc/s6-overlay/s6-rc.d/init-adduser/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-adduser/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-adduser/run

root/etc/s6-overlay/s6-rc.d/init-config-end/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-config-end/up

@@ -0,0 +1 @@
+# This file doesn't do anything, it's just the end of the downstream image init process

root/etc/s6-overlay/s6-rc.d/init-config/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-config/up

@@ -0,0 +1 @@
+# This file doesn't do anything, it's just the start of the downstream image init process

root/etc/s6-overlay/s6-rc.d/init-custom-files/run

@@ -0,0 +1,78 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Directories
+SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
+SCRIPTS_DIR="/custom-cont-init.d"
+
+SERVICES_DIR_OLD="/config/custom-services.d"
+
+# Tamper check custom script locations
+if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
+    echo "**** Potential tampering with custom scripts detected ****"
+    randstr=$(
+        tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
+        echo
+    )
+    mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
+    echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
+    echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
+    mkdir -p ${SCRIPTS_DIR_OLD}
+    chown 0:0 ${SCRIPTS_DIR_OLD}
+elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
+    echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
+    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+fi
+
+if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
+    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
+    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
+    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+fi
+
+# chown legacy folders if they exist
+if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
+    chown -R 0:0 "${SCRIPTS_DIR_OLD}"
+fi
+
+# chown legacy folders if they exist
+if [[ -e "${SERVICES_DIR_OLD}" ]]; then
+    chown -R 0:0 "${SERVICES_DIR_OLD}"
+fi
+
+if [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]] &&
+    [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
+    echo "[custom-init] no custom files found, skipping..."
+    exit 0
+fi
+
+# Make sure custom init directory exists and has files in it
+if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then
+    echo "[custom-init] files found, executing"
+    for SCRIPT in "${SCRIPTS_DIR}"/*; do
+        NAME="$(basename "${SCRIPT}")"
+        if [[ -f "${SCRIPT}" ]]; then
+            echo "[custom-init] ${NAME}: executing..."
+            /bin/bash "${SCRIPT}"
+            echo "[custom-init] ${NAME}: exited $?"
+        elif [[ ! -f "${SCRIPT}" ]]; then
+            echo "[custom-init] ${NAME}: is not a file"
+        fi
+    done
+fi
+
+if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
+    echo "[custom-init] files found, executing"
+    for SCRIPT in "${SCRIPTS_DIR_OLD}"/*; do
+        NAME="$(basename "${SCRIPT}")"
+        if [[ -f "${SCRIPT}" ]]; then
+            echo "[custom-init] ${NAME}: executing..."
+            /bin/bash "${SCRIPT}"
+            echo "[custom-init] ${NAME}: exited $?"
+        elif [[ ! -f "${SCRIPT}" ]]; then
+            echo "[custom-init] ${NAME}: is not a file"
+        fi
+    done
+fi

root/etc/s6-overlay/s6-rc.d/init-custom-files/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-custom-files/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-custom-files/run

root/etc/s6-overlay/s6-rc.d/init-envfile/run

@@ -0,0 +1,17 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+if find /var/run/s6/container_environment/*"FILE__"* -maxdepth 1 > /dev/null 2>&1; then
+    for FILENAME in /var/run/s6/container_environment/*; do
+        if [[ "${FILENAME##*/}" == "FILE__"* ]]; then
+            SECRETFILE=$(cat "${FILENAME}")
+            if [[ -f ${SECRETFILE} ]]; then
+                FILESTRIP=${FILENAME//FILE__/}
+                cat "${SECRETFILE}" >"${FILESTRIP}"
+                echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}"
+            else
+                echo "[env-init] cannot find secret in ${FILENAME##*/}"
+            fi
+        fi
+    done
+fi

root/etc/s6-overlay/s6-rc.d/init-envfile/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-envfile/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-envfile/run

root/etc/s6-overlay/s6-rc.d/init-migrations/run

@@ -0,0 +1,34 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+MIGRATIONS_DIR="/migrations"
+MIGRATIONS_HISTORY="/config/.migrations"
+
+echo "[migrations] started"
+
+if [[ ! -d ${MIGRATIONS_DIR} ]]; then
+    echo "[migrations] no migrations found"
+    exit
+fi
+
+for MIGRATION in $(find ${MIGRATIONS_DIR}/* | sort -n); do
+    NAME="$(basename "${MIGRATION}")"
+    if [[ -f ${MIGRATIONS_HISTORY} ]] && grep -Fxq "${NAME}" ${MIGRATIONS_HISTORY}; then
+        echo "[migrations] ${NAME}: skipped"
+        continue
+    fi
+    echo "[migrations] ${NAME}: executing..."
+    chmod +x "${MIGRATION}"
+    EXIT_CODE=$(
+        /bin/bash "${MIGRATION}"
+        echo $?
+    )
+    if [[ ${EXIT_CODE} -ne 0 ]]; then
+        echo "[migrations] ${NAME}: failed with exit code ${EXIT_CODE}, contact support"
+        exit "${EXIT_CODE}"
+    fi
+    echo "${NAME}" >>${MIGRATIONS_HISTORY}
+    echo "[migrations] ${NAME}: succeeded"
+done
+
+echo "[migrations] done"

root/etc/s6-overlay/s6-rc.d/init-migrations/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-migrations/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-migrations/run

root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run

@@ -1,33 +1,34 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
-if [ -f "/mod-repo-packages-to-install.list" ]; then
+if [[ -f "/mod-repo-packages-to-install.list" ]]; then
     echo "**** Installing all mod packages ****"
-    if [ -f /usr/bin/apt ]; then
+    if [[ -f /usr/bin/apt ]]; then
         export DEBIAN_FRONTEND="noninteractive"
         apt-get update
         apt-get install -y --no-install-recommends \
-            $(cat /mod-repo-packages-to-install.list)
-    elif [ -f /sbin/apk ]; then
+            "$(cat /mod-repo-packages-to-install.list)"
+    elif [[ -f /sbin/apk ]]; then
         apk add --no-cache \
-            $(cat /mod-repo-packages-to-install.list)
+            "$(cat /mod-repo-packages-to-install.list)"
     fi
 fi
 
-if [ -f "/mod-pip-packages-to-install.list" ]; then
+if [[ -f "/mod-pip-packages-to-install.list" ]]; then
     echo "**** Installing all pip packages ****"
     python3 -m pip install -U pip wheel setuptools
-    if [ -f /usr/bin/apt ]; then
+    if [[ -f /usr/bin/apt ]]; then
         PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/"
-    elif [ -f /sbin/apk ]; then
+    elif [[ -f /sbin/apk ]]; then
         ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||')
-        if [ "${ALPINE_VER}" = "3.14" ]; then
+        if [[ "${ALPINE_VER}" = "3.14" ]]; then
             PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/"
         else
             PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/"
         fi
     fi
-    python3 -m pip install ${PIP_ARGS} \
-        $(cat /mod-pip-packages-to-install.list)
+    python3 -m pip install "${PIP_ARGS}" \
+        "$(cat /mod-pip-packages-to-install.list)"
 fi
 
 rm -rf \

root/etc/s6-overlay/s6-rc.d/init-os-end/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-os-end/up

@@ -0,0 +1 @@
+# This file doesn't do anything, it's just the end of the mod init process

root/etc/s6-overlay/s6-rc.d/init-script-check/run

@@ -0,0 +1,22 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] ||
+    [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then
+    cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null
+    ********************************************************
+    ********************************************************
+    *                                                      *
+    *                         !!!!                         *
+    * Custom scripts or services found in legacy locations *
+    *                         !!!!                         *
+    *    Please move your custom scripts and services      *
+    *    to /custom-cont-init.d and /custom-services.d     *
+    *    respectively to ensure they continue working.     *
+    *                                                      *
+    *  Visit https://linuxserver.io/custom for more info.  *
+    *                                                      *    
+    ********************************************************
+    ********************************************************
+EOF
+fi

root/etc/s6-overlay/s6-rc.d/init-script-check/type

@@ -0,0 +1 @@
+oneshot

root/etc/s6-overlay/s6-rc.d/init-script-check/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-script-check/run

root/etc/s6-overlay/s6-rc.d/init-services/up

@@ -1 +1 @@
-# This file doesn't do anything, it's just the start of the service init process
+# This file doesn't do anything, it just signals that services can start

root/usr/bin/with-contenv

@@ -1,9 +1,9 @@
-#! /bin/bash
+#!/bin/bash
 
-if [[ -f /var/run/s6/container_environment/UMASK ]] && \
-    { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] || \
-    [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] || \
-    [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then
-    umask $(cat /var/run/s6/container_environment/UMASK)
+if [[ -f /var/run/s6/container_environment/UMASK ]] &&
+    { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] ||
+        [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] ||
+        [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then
+    umask "$(cat /var/run/s6/container_environment/UMASK)"
 fi
 exec /command/with-contenv "$@"