From f6f2804792cfc985119d720949ebd3080f96a91a Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 8 Jun 2022 15:31:58 +0100 Subject: [PATCH 01/60] Initial s6-rc commit --- root/etc/cont-init.d/02-tamper-check | 18 ---- root/etc/cont-init.d/90-custom-folders | 5 -- root/etc/cont-init.d/99-custom-files | 49 ----------- .../dependencies.d/init-migrations | 0 .../dependencies.d/init-script-check | 0 .../s6-rc.d/init-adduser/run} | 0 root/etc/s6-overlay/s6-rc.d/init-adduser/type | 1 + root/etc/s6-overlay/s6-rc.d/init-adduser/up | 1 + .../init-base/dependencies.d/init-adduser | 0 .../init-base/dependencies.d/init-envfile | 0 .../init-base/dependencies.d/init-migrations | 0 .../dependencies.d/init-script-check | 0 root/etc/s6-overlay/s6-rc.d/init-base/type | 1 + root/etc/s6-overlay/s6-rc.d/init-base/up | 1 + .../dependencies.d/init-downstream | 0 .../s6-overlay/s6-rc.d/init-custom-files/run | 87 +++++++++++++++++++ .../s6-overlay/s6-rc.d/init-custom-files/type | 1 + .../s6-overlay/s6-rc.d/init-custom-files/up | 1 + .../init-downstream/dependencies.d/init-base | 0 .../s6-overlay/s6-rc.d/init-downstream/type | 1 + .../etc/s6-overlay/s6-rc.d/init-downstream/up | 1 + .../init-envfile/dependencies.d/00-legacy | 0 .../s6-rc.d/init-envfile/run} | 0 root/etc/s6-overlay/s6-rc.d/init-envfile/type | 1 + root/etc/s6-overlay/s6-rc.d/init-envfile/up | 1 + .../init-migrations/dependencies.d/00-legacy | 0 .../s6-rc.d/init-migrations/run} | 2 +- .../s6-overlay/s6-rc.d/init-migrations/type | 1 + .../etc/s6-overlay/s6-rc.d/init-migrations/up | 1 + .../dependencies.d/00-legacy | 0 .../s6-overlay/s6-rc.d/init-script-check/run | 19 ++++ .../s6-overlay/s6-rc.d/init-script-check/type | 1 + .../s6-overlay/s6-rc.d/init-script-check/up | 1 + .../s6-rc.d/user/contents.d/init-adduser | 0 .../s6-rc.d/user/contents.d/init-base | 0 .../s6-rc.d/user/contents.d/init-envfile | 0 .../s6-rc.d/user/contents.d/init-migrations | 0 .../s6-rc.d/user/contents.d/init-script-check | 0 38 files changed, 121 insertions(+), 73 deletions(-) delete mode 100755 root/etc/cont-init.d/02-tamper-check delete mode 100755 root/etc/cont-init.d/90-custom-folders delete mode 100755 root/etc/cont-init.d/99-custom-files create mode 100644 root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations create mode 100644 root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check rename root/etc/{cont-init.d/10-adduser => s6-overlay/s6-rc.d/init-adduser/run} (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-adduser/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-adduser/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream create mode 100755 root/etc/s6-overlay/s6-rc.d/init-custom-files/run create mode 100644 root/etc/s6-overlay/s6-rc.d/init-custom-files/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-custom-files/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base create mode 100644 root/etc/s6-overlay/s6-rc.d/init-downstream/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-downstream/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy rename root/etc/{cont-init.d/01-envfile => s6-overlay/s6-rc.d/init-envfile/run} (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-envfile/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-envfile/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy rename root/etc/{cont-init.d/01-migrations => s6-overlay/s6-rc.d/init-migrations/run} (98%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-migrations/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-migrations/up create mode 100644 root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy create mode 100755 root/etc/s6-overlay/s6-rc.d/init-script-check/run create mode 100644 root/etc/s6-overlay/s6-rc.d/init-script-check/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-script-check/up create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check diff --git a/root/etc/cont-init.d/02-tamper-check b/root/etc/cont-init.d/02-tamper-check deleted file mode 100755 index 6699a27..0000000 --- a/root/etc/cont-init.d/02-tamper-check +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/with-contenv bash - -if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts/services detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do - if [ -d "${folder}" ]; then - mv "${folder}" "${folder}.${randstr}" - echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****" - fi - done - echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-cont-init.d /config/custom-services.d - chown 0:0 /config/custom-cont-init.d /config/custom-services.d -elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****" -fi diff --git a/root/etc/cont-init.d/90-custom-folders b/root/etc/cont-init.d/90-custom-folders deleted file mode 100755 index 14b7914..0000000 --- a/root/etc/cont-init.d/90-custom-folders +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv bash - -# create custom folders and secure permissions -mkdir -p /config/{custom-cont-init.d,custom-services.d} -chown -R 0:0 /config/{custom-cont-init.d,custom-services.d} diff --git a/root/etc/cont-init.d/99-custom-files b/root/etc/cont-init.d/99-custom-files deleted file mode 100755 index 2195641..0000000 --- a/root/etc/cont-init.d/99-custom-files +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Directories -SCRIPTS_DIR="/config/custom-cont-init.d" -SERVICES_DIR="/config/custom-services.d" - -# Remove all existing custom services before continuing to ensure -# we aren't running anything the user may have removed -if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/services.d/custom-service-* -fi - -# Make sure custom init directory exists and has files in it -if ([ -e "${SCRIPTS_DIR}" ] && \ - [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]) || \ - ([ -e "${SERVICES_DIR}" ] && \ - [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]); then - if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then - echo "[custom-init] files found in ${SCRIPTS_DIR} executing" - for SCRIPT in ${SCRIPTS_DIR}/*; do - NAME="$(basename "${SCRIPT}")" - if [ -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: executing..." - /bin/bash ${SCRIPT} - echo "[custom-init] ${NAME}: exited $?" - elif [ ! -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/services.d/custom-service-${NAME}/ - cp ${SERVICE} /etc/services.d/custom-service-${NAME}/run - chmod +x /etc/services.d/custom-service-${NAME}/run - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -else - echo "[custom-init] no custom files found exiting..." -fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/10-adduser b/root/etc/s6-overlay/s6-rc.d/init-adduser/run similarity index 100% rename from root/etc/cont-init.d/10-adduser rename to root/etc/s6-overlay/s6-rc.d/init-adduser/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/type b/root/etc/s6-overlay/s6-rc.d/init-adduser/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/up b/root/etc/s6-overlay/s6-rc.d/init-adduser/up new file mode 100644 index 0000000..b8522da --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-adduser/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/type b/root/etc/s6-overlay/s6-rc.d/init-base/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-base/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/up b/root/etc/s6-overlay/s6-rc.d/init-base/up new file mode 100644 index 0000000..0738317 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-base/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the base image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream b/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run new file mode 100755 index 0000000..9cded7f --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -0,0 +1,87 @@ +#!/usr/bin/with-contenv bash + +# Directories +SCRIPTS_DIR_OLD="/config/custom-cont-init.d" +SERVICES_DIR_OLD="/config/custom-services.d" +SCRIPTS_DIR="/custom-cont-init.d" +SERVICES_DIR="/custom-services.d" + +# Remove all existing custom services before continuing to ensure +# we aren't running anything the user may have removed +if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/services.d/custom-service-* +fi + +if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + echo "[custom-init] no custom files found, exiting..." + exit 0 +fi + +# Make sure custom init directory exists and has files in it +if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } || \ + { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then + echo "[custom-init] files found, executing" + for SCRIPT in ${SCRIPTS_DIR}/*; do + NAME="$(basename "${SCRIPT}")" + if [ -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [ ! -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR}" + for SERVICE in ${SERVICES_DIR}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/services.d/custom-service-"${NAME}"/ + cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run + chmod +x /etc/services.d/custom-service-"${NAME}"/run + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi + +if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } || \ + { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] files found, executing" + for SCRIPT in ${SCRIPTS_DIR_OLD}/*; do + NAME="$(basename "${SCRIPT}")" + if [ -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [ ! -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + for SERVICE in ${SERVICES_DIR_OLD}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/services.d/custom-service-"${NAME}"/ + cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run + chmod +x /etc/services.d/custom-service-"${NAME}"/run + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/type b/root/etc/s6-overlay/s6-rc.d/init-custom-files/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/up b/root/etc/s6-overlay/s6-rc.d/init-custom-files/up new file mode 100644 index 0000000..28bf318 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-custom-files/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base b/root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/type b/root/etc/s6-overlay/s6-rc.d/init-downstream/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-downstream/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/up b/root/etc/s6-overlay/s6-rc.d/init-downstream/up new file mode 100644 index 0000000..c329423 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-downstream/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the downstream image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/01-envfile b/root/etc/s6-overlay/s6-rc.d/init-envfile/run similarity index 100% rename from root/etc/cont-init.d/01-envfile rename to root/etc/s6-overlay/s6-rc.d/init-envfile/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/type b/root/etc/s6-overlay/s6-rc.d/init-envfile/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/up b/root/etc/s6-overlay/s6-rc.d/init-envfile/up new file mode 100644 index 0000000..b2b4fb8 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-envfile/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/01-migrations b/root/etc/s6-overlay/s6-rc.d/init-migrations/run similarity index 98% rename from root/etc/cont-init.d/01-migrations rename to root/etc/s6-overlay/s6-rc.d/init-migrations/run index 4ab4464..5eef083 100755 --- a/root/etc/cont-init.d/01-migrations +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/run @@ -7,7 +7,7 @@ echo "[migrations] started" if [ ! -d $MIGRATIONS_DIR ]; then echo "[migrations] no migrations found" - exit + exit 0 fi for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/type b/root/etc/s6-overlay/s6-rc.d/init-migrations/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/up b/root/etc/s6-overlay/s6-rc.d/init-migrations/up new file mode 100644 index 0000000..7c4cbcf --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-migrations/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run new file mode 100755 index 0000000..05355ad --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +if { [ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]; } && \ + { [ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]; }; then +cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null + ******************************************************** + ******************************************************** + * * + * !!!! * + * Custom scripts or services found in legacy locations * + * !!!! * + * Please move your custom scripts and services * + * to /custom-cont-init.d and /custom-services.d * + * respectively to ensure they continue working. * + * * + ******************************************************** + ******************************************************** +EOF +fi \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/type b/root/etc/s6-overlay/s6-rc.d/init-script-check/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/up b/root/etc/s6-overlay/s6-rc.d/init-script-check/up new file mode 100644 index 0000000..a7c155a --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-script-check/run diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check new file mode 100644 index 0000000..e69de29 From 2c28aeb4c83e2b11dae27c2bdb6274b6405550b1 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 8 Jun 2022 15:32:49 +0100 Subject: [PATCH 02/60] Trailing newline --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 05355ad..0e450db 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -16,4 +16,4 @@ cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d ******************************************************** ******************************************************** EOF -fi \ No newline at end of file +fi From 6ac3a53809bed43b4f343058b4e11667cf77b76c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 8 Jun 2022 17:55:24 +0100 Subject: [PATCH 03/60] Add base to init-base so downstream init doesn't run too early --- root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base new file mode 100644 index 0000000..e69de29 From 32e37c440b390cf3d44f663f844b04264e6ff1b9 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 9 Jun 2022 11:51:02 +0100 Subject: [PATCH 04/60] Add tamper check until legacy custom files location removed --- .../dependencies.d/init-tamper-check | 0 .../init-base/dependencies.d/init-tamper-check | 0 .../dependencies.d/init-script-check | 0 .../s6-overlay/s6-rc.d/init-tamper-check/run | 18 ++++++++++++++++++ .../s6-overlay/s6-rc.d/init-tamper-check/type | 1 + .../s6-overlay/s6-rc.d/init-tamper-check/up | 1 + .../s6-rc.d/user/contents.d/init-tamper-check | 0 7 files changed, 20 insertions(+) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-tamper-check create mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-tamper-check create mode 100644 root/etc/s6-overlay/s6-rc.d/init-tamper-check/dependencies.d/init-script-check create mode 100755 root/etc/s6-overlay/s6-rc.d/init-tamper-check/run create mode 100644 root/etc/s6-overlay/s6-rc.d/init-tamper-check/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-tamper-check/up create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-tamper-check diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-tamper-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-tamper-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/dependencies.d/init-script-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run new file mode 100755 index 0000000..6699a27 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run @@ -0,0 +1,18 @@ +#!/usr/bin/with-contenv bash + +if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then + echo "**** Potential tampering with custom scripts/services detected ****" + randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) + for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do + if [ -d "${folder}" ]; then + mv "${folder}" "${folder}.${randstr}" + echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****" + fi + done + echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****" + mkdir -p /config/custom-cont-init.d /config/custom-services.d + chown 0:0 /config/custom-cont-init.d /config/custom-services.d +elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then + echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****" +fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/type b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up new file mode 100644 index 0000000..80c298e --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-tamper-check/run diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-tamper-check new file mode 100644 index 0000000..e69de29 From ec6eed279db16ea1e6cd5577fa239b9eeea29568 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 9 Jun 2022 11:51:13 +0100 Subject: [PATCH 05/60] Chown legacy custom locations if they exist --- root/etc/s6-overlay/s6-rc.d/init-custom-files/run | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index 9cded7f..02588ed 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -6,11 +6,20 @@ SERVICES_DIR_OLD="/config/custom-services.d" SCRIPTS_DIR="/custom-cont-init.d" SERVICES_DIR="/custom-services.d" +# chown legacy folders if they exist +if [ -e "${SCRIPTS_DIR_OLD}" ]; then + chown -R 0:0 "${SCRIPTS_DIR_OLD}" +fi + +if [ -e "${SERVICES_DIR_OLD}" ]; then + chown -R 0:0 "${SERVICES_DIR_OLD}" +fi + # Remove all existing custom services before continuing to ensure # we aren't running anything the user may have removed if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/services.d/custom-service-* + echo "[custom-init] removing existing custom services..." + rm -rf /etc/services.d/custom-service-* fi if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ From 92a97355b48065ceeafe00c449970feab041d075 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:16:17 +0100 Subject: [PATCH 06/60] Remove custom service handling --- .../s6-overlay/s6-rc.d/init-custom-files/run | 53 ++----------------- 1 file changed, 3 insertions(+), 50 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index 02588ed..a26cb2b 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -2,37 +2,21 @@ # Directories SCRIPTS_DIR_OLD="/config/custom-cont-init.d" -SERVICES_DIR_OLD="/config/custom-services.d" SCRIPTS_DIR="/custom-cont-init.d" -SERVICES_DIR="/custom-services.d" # chown legacy folders if they exist if [ -e "${SCRIPTS_DIR_OLD}" ]; then chown -R 0:0 "${SCRIPTS_DIR_OLD}" fi -if [ -e "${SERVICES_DIR_OLD}" ]; then - chown -R 0:0 "${SERVICES_DIR_OLD}" -fi - -# Remove all existing custom services before continuing to ensure -# we aren't running anything the user may have removed -if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/services.d/custom-service-* -fi - if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then echo "[custom-init] no custom files found, exiting..." exit 0 fi # Make sure custom init directory exists and has files in it -if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } || \ - { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then +if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; }; then if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then echo "[custom-init] files found, executing" for SCRIPT in ${SCRIPTS_DIR}/*; do @@ -46,25 +30,9 @@ if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" fi done fi - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/services.d/custom-service-"${NAME}"/ - cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run - chmod +x /etc/services.d/custom-service-"${NAME}"/run - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi fi -if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } || \ - { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then +if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then if [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; then echo "[custom-init] files found, executing" for SCRIPT in ${SCRIPTS_DIR_OLD}/*; do @@ -78,19 +46,4 @@ if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev fi done fi - if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" - for SERVICE in ${SERVICES_DIR_OLD}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/services.d/custom-service-"${NAME}"/ - cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run - chmod +x /etc/services.d/custom-service-"${NAME}"/run - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi fi From 1f81e9ac8a4ca4a7047d96067f8644e4f55fff29 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:16:25 +0100 Subject: [PATCH 07/60] Add custom service handling --- root/docker-mods | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/root/docker-mods b/root/docker-mods index 732f167..486be1d 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -131,3 +131,65 @@ done # Set executable bit on cont-init and services that may have been unpacked by mods set_legacy_executable_bits + +# Process Custom Services +SERVICES_DIR_OLD="/config/custom-services.d" +SERVICES_DIR="/custom-services.d" + +if [ -e "${SERVICES_DIR_OLD}" ]; then + chown -R 0:0 "${SERVICES_DIR_OLD}" +fi + +# Remove all existing custom services before continuing to ensure +# we aren't running anything the user may have removed +if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* +fi + +if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + echo "[custom-init] no custom files found, exiting..." + exit 0 +fi + +# Make sure custom init directory exists and has files in it +if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR}" + for SERVICE in ${SERVICES_DIR}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi + +if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + for SERVICE in ${SERVICES_DIR_OLD}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi \ No newline at end of file From 36c3f7ffb50e370b39652951b459bedfe23c220c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:19:53 +0100 Subject: [PATCH 08/60] Trailing newline --- root/docker-mods | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index 486be1d..660b8ad 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -192,4 +192,4 @@ if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/d fi done fi -fi \ No newline at end of file +fi From 1dabda8b6271a4c0db4119fb016d0a409a578d65 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:29:36 +0100 Subject: [PATCH 09/60] Split tamper check between files/services --- root/docker-mods | 18 ++++++++++---- .../s6-overlay/s6-rc.d/init-tamper-check/run | 24 ++++++++----------- 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 660b8ad..3949e99 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -136,10 +136,6 @@ set_legacy_executable_bits SERVICES_DIR_OLD="/config/custom-services.d" SERVICES_DIR="/custom-services.d" -if [ -e "${SERVICES_DIR_OLD}" ]; then - chown -R 0:0 "${SERVICES_DIR_OLD}" -fi - # Remove all existing custom services before continuing to ensure # we aren't running anything the user may have removed if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then @@ -147,6 +143,20 @@ if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* fi +# Tamper check services +if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) + mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" + echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" + echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" + mkdir -p /config/custom-services.d + chown 0:0 /config/custom-services.d +elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then + echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" +fi + if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then echo "[custom-init] no custom files found, exiting..." diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run index 6699a27..04aec81 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run @@ -1,18 +1,14 @@ #!/usr/bin/with-contenv bash -if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts/services detected ****" +if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]); then + echo "**** Potential tampering with custom scripts detected ****" randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do - if [ -d "${folder}" ]; then - mv "${folder}" "${folder}.${randstr}" - echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****" - fi - done - echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-cont-init.d /config/custom-services.d - chown 0:0 /config/custom-cont-init.d /config/custom-services.d -elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****" + mv "/config/custom-cont-init.d" "/config/custom-cont-init.d.${randstr}" + echo "**** Folder /config/custom-cont-init.d is moved to /config/custom-cont-init.d.${randstr} ****" + echo "**** The folder '/config/custom-cont-init.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" + mkdir -p /config/custom-cont-init.d + chown 0:0 /config/custom-cont-init.d +elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]); then + echo "**** The folder '/config/custom-cont-init.d' or some of its contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi From c285069d03b7cd97e522c1dd7a3c0018c4ce9a59 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:31:30 +0100 Subject: [PATCH 10/60] Fix service file types --- root/docker-mods | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 3949e99..6249e74 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -174,8 +174,7 @@ if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null) mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: is not a file" From 3e69697264a755dc141e5e5d2ef023950b460aa3 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 16:34:16 +0100 Subject: [PATCH 11/60] Still chown old services folder if it exists --- root/etc/s6-overlay/s6-rc.d/init-custom-files/run | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index a26cb2b..a193f63 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -4,11 +4,18 @@ SCRIPTS_DIR_OLD="/config/custom-cont-init.d" SCRIPTS_DIR="/custom-cont-init.d" +SERVICES_DIR_OLD="/config/custom-services.d" + # chown legacy folders if they exist if [ -e "${SCRIPTS_DIR_OLD}" ]; then chown -R 0:0 "${SCRIPTS_DIR_OLD}" fi +# chown legacy folders if they exist +if [ -e "${SERVICES_DIR_OLD}" ]; then + chown -R 0:0 "${SERVICES_DIR_OLD}" +fi + if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then echo "[custom-init] no custom files found, exiting..." From d7ac0a9a4ea65bc2114b7e3da5f277e8049ccee7 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 23:38:29 +0100 Subject: [PATCH 12/60] Reorder so custom services aren't dependent on mods --- root/docker-mods | 345 ++++++++++++++++++++++++----------------------- 1 file changed, 179 insertions(+), 166 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 6249e74..881fb36 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -1,37 +1,108 @@ #!/usr/bin/with-contenv bash +#shellcheck disable=SC2120 + # Set executable bit on cont-init and services built into the image -set_legacy_executable_bits() { +set_legacy_executable_bits () { mkdir -p /etc/{cont-init.d,services.d} chmod +x \ /etc/cont-init.d/* \ /etc/services.d/*/* 2> /dev/null || true } -set_legacy_executable_bits -# Exit if mods is not set -if [ -z ${DOCKER_MODS+x} ]; then - exit 0 -fi +# Tamper check legacy custom service locations +tamper_check () { + if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) + mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" + echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" + echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" + mkdir -p /config/custom-services.d + chown 0:0 /config/custom-services.d + elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then + echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + fi +} + +# Process Custom Services +process_custom_services() { + SERVICES_DIR_OLD="/config/custom-services.d" + SERVICES_DIR="/custom-services.d" + + # Remove all existing custom services before continuing to ensure + # we aren't running anything the user may have removed + if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + fi + + if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + echo "[custom-init] no custom files found, exiting..." + return + fi + + # Make sure custom init directory exists and has files in it + if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR}" + for SERVICE in ${SERVICES_DIR}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + fi + + if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + for SERVICE in ${SERVICES_DIR_OLD}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + fi +} # Check for curl -if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then - echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" - if [ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - curl \ - jq - elif [ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - curl \ - jq +curl_check () { + if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then + echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" + if [ -f /usr/bin/apt ]; then + ## Ubuntu + apt-get update + apt-get install --no-install-recommends -y \ + curl \ + jq + elif [ -f /sbin/apk ]; then + # Alpine + apk add --no-cache \ + curl \ + jq + fi fi -fi - -## Functions +} # Use different filtering depending on URL get_blob_sha () { @@ -53,152 +124,94 @@ get_blob_sha () { } # Main run logic -echo "[mod-init] Attempting to run Docker Modification Logic" -IFS='|' -DOCKER_MODS=(${DOCKER_MODS}) -for DOCKER_MOD in "${DOCKER_MODS[@]}"; do - # Support alternative endpoints - if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then - DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" - MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" - MODE="ghcr" - else - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" - MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" - MODE="dockerhub" - fi - # Kill off modification logic if any of the usernames are banned - BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) - IFS=$'\n' - BLACKLIST=(${BLACKLIST}) - for BANNED in "${BLACKLIST[@]}"; do - if [ "${BANNED}" == "${USERNAME,,}" ]; then - if [ -z ${RUN_BANNED_MODS+x} ]; then - echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" - exit 0 - else - echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" +run_mods () { + echo "[mod-init] Attempting to run Docker Modification Logic" + IFS='|' + DOCKER_MODS=(${DOCKER_MODS}) + for DOCKER_MOD in "${DOCKER_MODS[@]}"; do + # Support alternative endpoints + if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then + DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" + MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" + MODE="ghcr" + else + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" + fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" + MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" + MODE="dockerhub" + fi + # Kill off modification logic if any of the usernames are banned + BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) + IFS=$'\n' + BLACKLIST=(${BLACKLIST}) + for BANNED in "${BLACKLIST[@]}"; do + if [ "${BANNED}" == "${USERNAME,,}" ]; then + if [ -z ${RUN_BANNED_MODS+x} ]; then + echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" + return + else + echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" + fi + fi + done + echo "[mod-init] Applying ${DOCKER_MOD} files to container" + # Get Dockerhub token for api operations + TOKEN="$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --header 'GET' \ + "${AUTH_URL}" \ + | jq -r '.token' \ + )" + # Determine first and only layer of image + SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") + # Check if we have allready applied this layer + if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then + echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" + else + # Download and extract layer to / + curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ + --silent \ + --location \ + --request GET \ + --header "Authorization: Bearer ${TOKEN}" \ + "${BLOB_URL}${SHALAYER}" -o \ + /modtarball.tar.xz + tar xzf /modtarball.tar.xz -C / + rm -rf /modtarball.tar.xz + echo ${SHALAYER} > "/${FILENAME}" fi done - echo "[mod-init] Applying ${DOCKER_MOD} files to container" - # Get Dockerhub token for api operations - TOKEN=\ -"$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --header 'GET' \ - "${AUTH_URL}" \ - | jq -r '.token' \ - )" - # Determine first and only layer of image - SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") - # Check if we have allready applied this layer - if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then - echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" - else - # Download and extract layer to / - curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer ${TOKEN}" \ - "${BLOB_URL}${SHALAYER}" -o \ - /modtarball.tar.xz - tar xzf /modtarball.tar.xz -C / - rm -rf /modtarball.tar.xz - echo ${SHALAYER} > "/${FILENAME}" - fi -done +} -# Set executable bit on cont-init and services that may have been unpacked by mods +# Tamper check legacy services +tamper_check + +# Process any custom services +process_custom_services + +# Run mod logic +if [ -n "${DOCKER_MODS+x}" ]; then + curl_check + run_mods +fi + +# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods set_legacy_executable_bits - -# Process Custom Services -SERVICES_DIR_OLD="/config/custom-services.d" -SERVICES_DIR="/custom-services.d" - -# Remove all existing custom services before continuing to ensure -# we aren't running anything the user may have removed -if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* -fi - -# Tamper check services -if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" - echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" - echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-services.d - chown 0:0 /config/custom-services.d -elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" -fi - -if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - echo "[custom-init] no custom files found, exiting..." - exit 0 -fi - -# Make sure custom init directory exists and has files in it -if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -fi - -if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" - for SERVICE in ${SERVICES_DIR_OLD}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -fi From 4f51cb2f4fa8223fbe7321b30243eb1decd81342 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 14 Jul 2022 22:19:49 +0100 Subject: [PATCH 13/60] Rework init order again --- root/etc/s6-overlay/s6-rc.d/init-base/up | 1 - .../dependencies.d/init-config} | 0 .../s6-rc.d/{init-base => init-config-end}/type | 0 .../{init-downstream => init-config-end}/up | 0 .../dependencies.d/init-os-end} | 0 .../s6-rc.d/{init-downstream => init-config}/type | 0 root/etc/s6-overlay/s6-rc.d/init-config/up | 1 + .../dependencies.d/base} | 0 .../dependencies.d/init-adduser} | 0 .../dependencies.d/init-mods} | 0 .../{init-tamper-check => init-mods-end}/type | 0 root/etc/s6-overlay/s6-rc.d/init-mods-end/up | 1 + .../dependencies.d/init-config-end} | 0 root/etc/s6-overlay/s6-rc.d/init-mods/type | 1 + root/etc/s6-overlay/s6-rc.d/init-mods/up | 1 + .../dependencies.d/base} | 0 .../dependencies.d/init-adduser} | 0 .../dependencies.d/init-custom-files} | 0 .../dependencies.d/init-envfile} | 0 .../dependencies.d/init-migrations} | 0 .../dependencies.d/init-script-check} | 0 root/etc/s6-overlay/s6-rc.d/init-os-end/type | 1 + root/etc/s6-overlay/s6-rc.d/init-os-end/up | 1 + root/etc/s6-overlay/s6-rc.d/init-tamper-check/run | 14 -------------- root/etc/s6-overlay/s6-rc.d/init-tamper-check/up | 1 - .../s6-overlay/s6-rc.d/user/contents.d/init-config | 0 .../s6-rc.d/user/contents.d/init-config-end | 0 .../s6-rc.d/user/contents.d/init-custom-files | 0 .../s6-overlay/s6-rc.d/user/contents.d/init-mods | 0 .../s6-rc.d/user/contents.d/init-mods-end | 0 .../s6-overlay/s6-rc.d/user/contents.d/init-os-end | 0 31 files changed, 6 insertions(+), 16 deletions(-) delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-base/up rename root/etc/s6-overlay/s6-rc.d/{init-adduser/dependencies.d/init-tamper-check => init-config-end/dependencies.d/init-config} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-base => init-config-end}/type (100%) rename root/etc/s6-overlay/s6-rc.d/{init-downstream => init-config-end}/up (100%) rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/base => init-config/dependencies.d/init-os-end} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-downstream => init-config}/type (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-config/up rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/init-adduser => init-custom-files/dependencies.d/base} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/init-envfile => init-custom-files/dependencies.d/init-adduser} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/init-migrations => init-mods-end/dependencies.d/init-mods} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-tamper-check => init-mods-end}/type (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-end/up rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/init-script-check => init-mods/dependencies.d/init-config-end} (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods/up rename root/etc/s6-overlay/s6-rc.d/{init-base/dependencies.d/init-tamper-check => init-os-end/dependencies.d/base} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-custom-files/dependencies.d/init-downstream => init-os-end/dependencies.d/init-adduser} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-downstream/dependencies.d/init-base => init-os-end/dependencies.d/init-custom-files} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-tamper-check/dependencies.d/init-script-check => init-os-end/dependencies.d/init-envfile} (100%) rename root/etc/s6-overlay/s6-rc.d/{user/contents.d/init-base => init-os-end/dependencies.d/init-migrations} (100%) rename root/etc/s6-overlay/s6-rc.d/{user/contents.d/init-tamper-check => init-os-end/dependencies.d/init-script-check} (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-os-end/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-os-end/up delete mode 100755 root/etc/s6-overlay/s6-rc.d/init-tamper-check/run delete mode 100644 root/etc/s6-overlay/s6-rc.d/init-tamper-check/up create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config-end create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-custom-files create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-end create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-os-end diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/up b/root/etc/s6-overlay/s6-rc.d/init-base/up deleted file mode 100644 index 0738317..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-base/up +++ /dev/null @@ -1 +0,0 @@ -# This file doesn't do anything, it's just the end of the base image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-config similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-tamper-check rename to root/etc/s6-overlay/s6-rc.d/init-config-end/dependencies.d/init-config diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/type b/root/etc/s6-overlay/s6-rc.d/init-config-end/type similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/type rename to root/etc/s6-overlay/s6-rc.d/init-config-end/type diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/up b/root/etc/s6-overlay/s6-rc.d/init-config-end/up similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-downstream/up rename to root/etc/s6-overlay/s6-rc.d/init-config-end/up diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base b/root/etc/s6-overlay/s6-rc.d/init-config/dependencies.d/init-os-end similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/base rename to root/etc/s6-overlay/s6-rc.d/init-config/dependencies.d/init-os-end diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/type b/root/etc/s6-overlay/s6-rc.d/init-config/type similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-downstream/type rename to root/etc/s6-overlay/s6-rc.d/init-config/type diff --git a/root/etc/s6-overlay/s6-rc.d/init-config/up b/root/etc/s6-overlay/s6-rc.d/init-config/up new file mode 100644 index 0000000..e80acfe --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-config/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the start of the downstream image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/base similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser rename to root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/base diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile b/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-adduser similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile rename to root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-adduser diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mods similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations rename to root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mods diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/type b/root/etc/s6-overlay/s6-rc.d/init-mods-end/type similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-tamper-check/type rename to root/etc/s6-overlay/s6-rc.d/init-mods-end/type diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-end/up b/root/etc/s6-overlay/s6-rc.d/init-mods-end/up new file mode 100644 index 0000000..092149d --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-end/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the mod init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-mods/dependencies.d/init-config-end similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check rename to root/etc/s6-overlay/s6-rc.d/init-mods/dependencies.d/init-config-end diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods/type b/root/etc/s6-overlay/s6-rc.d/init-mods/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods/up b/root/etc/s6-overlay/s6-rc.d/init-mods/up new file mode 100644 index 0000000..040d801 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the start of the mod init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/base similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-tamper-check rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/base diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-adduser similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-adduser diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-custom-files similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-custom-files diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-envfile similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-tamper-check/dependencies.d/init-script-check rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-envfile diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-migrations similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-migrations diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-tamper-check b/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-script-check similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/user/contents.d/init-tamper-check rename to root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-script-check diff --git a/root/etc/s6-overlay/s6-rc.d/init-os-end/type b/root/etc/s6-overlay/s6-rc.d/init-os-end/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-os-end/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-os-end/up b/root/etc/s6-overlay/s6-rc.d/init-os-end/up new file mode 100644 index 0000000..092149d --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-os-end/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the mod init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run deleted file mode 100755 index 04aec81..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/run +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/with-contenv bash - -if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - mv "/config/custom-cont-init.d" "/config/custom-cont-init.d.${randstr}" - echo "**** Folder /config/custom-cont-init.d is moved to /config/custom-cont-init.d.${randstr} ****" - echo "**** The folder '/config/custom-cont-init.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-cont-init.d - chown 0:0 /config/custom-cont-init.d -elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]); then - echo "**** The folder '/config/custom-cont-init.d' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" -fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up b/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up deleted file mode 100644 index 80c298e..0000000 --- a/root/etc/s6-overlay/s6-rc.d/init-tamper-check/up +++ /dev/null @@ -1 +0,0 @@ -/etc/s6-overlay/s6-rc.d/init-tamper-check/run diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config-end b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-config-end new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-custom-files b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-custom-files new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-end b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-end new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-os-end b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-os-end new file mode 100644 index 0000000..e69de29 From e890f470b66ba6bfc814b57f68ee7b0ef8498d08 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 14 Jul 2022 22:20:10 +0100 Subject: [PATCH 14/60] Fix old path handling, touch deps --- root/docker-mods | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 881fb36..dcdcc4f 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -40,11 +40,11 @@ process_custom_services() { if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - echo "[custom-init] no custom files found, exiting..." + echo "[custom-init] no custom services found, skipping..." return fi - # Make sure custom init directory exists and has files in it + # Make sure custom service directory exists and has files in it if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then echo "[custom-init] service files found in ${SERVICES_DIR}" @@ -56,6 +56,8 @@ process_custom_services() { cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-mods + touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: is not a file" @@ -74,8 +76,9 @@ process_custom_services() { mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-mods + touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: is not a file" From bb2ab4ccdfd4008162f527f20a8a6bbacbaed962 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 14 Jul 2022 22:20:23 +0100 Subject: [PATCH 15/60] Change message wording to be more accurate --- root/etc/s6-overlay/s6-rc.d/init-custom-files/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index a193f63..68f4291 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -18,7 +18,7 @@ fi if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then - echo "[custom-init] no custom files found, exiting..." + echo "[custom-init] no custom files found, skipping..." exit 0 fi From b5f9bf10939d1711942a857f77b4465e20935ac9 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 15 Jul 2022 21:07:38 +0100 Subject: [PATCH 16/60] Handle dual-mode mods --- root/docker-mods | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index dcdcc4f..dea7cdd 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -197,7 +197,20 @@ run_mods () { --header "Authorization: Bearer ${TOKEN}" \ "${BLOB_URL}${SHALAYER}" -o \ /modtarball.tar.xz - tar xzf /modtarball.tar.xz -C / + mkdir -p /tmp/mod + tar xzf /modtarball.tar.xz -C /tmp/mod + if [ -d /tmp/mod/etc/s6-overlay ]; then + if [ -d /tmp/mod/etc/cont-init.d ]; then + rm -rf /tmp/mod/etc/cont-init.d + fi + if [ -d /tmp/mod/etc/services.d ]; then + rm -rf /tmp/mod/etc/services.d + fi + fi + shopt -s dotglob + mv /tmp/mod/* / + shopt -u dotglob + rm -rf /tmp/mod rm -rf /modtarball.tar.xz echo ${SHALAYER} > "/${FILENAME}" fi From 74a451627101e81fce26ed3f6372e81add6609c9 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 15 Jul 2022 21:12:39 +0100 Subject: [PATCH 17/60] Fix UMASK handling --- root/usr/bin/with-contenv | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/root/usr/bin/with-contenv b/root/usr/bin/with-contenv index e26f8f4..c5dabdd 100755 --- a/root/usr/bin/with-contenv +++ b/root/usr/bin/with-contenv @@ -1,7 +1,9 @@ #! /bin/bash -if [[ -f /var/run/s6/container_environment/UMASK ]] && [[ "$(pwdx $$)" =~ "/run/s6/services/" ]]; then - umask $(cat /var/run/s6/container_environment/UMASK) - exec /command/with-contenv "$@" -else - exec /command/with-contenv "$@" + +if [[ -f /var/run/s6/container_environment/UMASK ]] && \ + { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] || \ + [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] || \ + [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then + umask $(cat /var/run/s6/container_environment/UMASK) fi +exec /command/with-contenv "$@" \ No newline at end of file From dd40de00b677662e1841c365e37ab2f57e1902d9 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 15 Jul 2022 21:13:39 +0100 Subject: [PATCH 18/60] Set s6 service max timeout to 0 --- Dockerfile | 3 ++- Dockerfile.aarch64 | 3 ++- Dockerfile.armhf | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 531216a..063595d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,7 +69,8 @@ LABEL maintainer="TheLamer" # environment variables ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ -TERM="xterm" +TERM="xterm" \ +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" RUN \ echo "**** install runtime packages ****" && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index daec099..03c98fd 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -69,7 +69,8 @@ LABEL maintainer="TheLamer" # environment variables ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ -TERM="xterm" +TERM="xterm" \ +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" RUN \ echo "**** install runtime packages ****" && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 40467e3..e46f1f3 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -69,7 +69,8 @@ LABEL maintainer="TheLamer" # environment variables ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ -TERM="xterm" +TERM="xterm" \ +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" RUN \ echo "**** install runtime packages ****" && \ From 0e016f977ebd480e8c822ea3cb1200427ece8465 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 15 Jul 2022 21:16:15 +0100 Subject: [PATCH 19/60] Trailing newline --- root/usr/bin/with-contenv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/usr/bin/with-contenv b/root/usr/bin/with-contenv index c5dabdd..212d908 100755 --- a/root/usr/bin/with-contenv +++ b/root/usr/bin/with-contenv @@ -6,4 +6,4 @@ if [[ -f /var/run/s6/container_environment/UMASK ]] && \ [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then umask $(cat /var/run/s6/container_environment/UMASK) fi -exec /command/with-contenv "$@" \ No newline at end of file +exec /command/with-contenv "$@" From e696236d425a7fbc55f35a9fca0ce4fbab489308 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 16 Jul 2022 14:11:00 +0100 Subject: [PATCH 20/60] Copy rather than moving mod files to avoid overwrite issues --- root/docker-mods | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index dea7cdd..af82abc 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -208,7 +208,7 @@ run_mods () { fi fi shopt -s dotglob - mv /tmp/mod/* / + cp -R /tmp/mod/* / shopt -u dotglob rm -rf /tmp/mod rm -rf /modtarball.tar.xz From 273f624f3ae8e1c7b199758d880a312ed8cb7cfd Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 21 Jul 2022 17:14:17 +0100 Subject: [PATCH 21/60] Add "success" message to mods --- root/docker-mods | 1 + 1 file changed, 1 insertion(+) diff --git a/root/docker-mods b/root/docker-mods index af82abc..c6e9c9b 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -213,6 +213,7 @@ run_mods () { rm -rf /tmp/mod rm -rf /modtarball.tar.xz echo ${SHALAYER} > "/${FILENAME}" + echo "[mod-init] ${DOCKER_MOD} applied to container" fi done } From 3c7ccbd583d10ee69a6222142caf9f3d3e1d6832 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 21 Jul 2022 17:14:28 +0100 Subject: [PATCH 22/60] Disable custom script check for now --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 0e450db..e13d6d0 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -1,5 +1,9 @@ #!/usr/bin/with-contenv bash +# This doesn't do anything yet + +exit 0 + if { [ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]; } && \ { [ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]; }; then cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null From 4d28a9cdc624902bc2bf3a92d2594e5a924c2209 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 22 Jul 2022 14:57:59 +0100 Subject: [PATCH 23/60] Move custom files to post-mods, add init-services anchor --- root/docker-mods | 4 ++-- .../init-custom-files/dependencies.d/{base => init-mods-end} | 0 .../dependencies.d/init-custom-files | 0 root/etc/s6-overlay/s6-rc.d/init-services/type | 1 + root/etc/s6-overlay/s6-rc.d/init-services/up | 1 + .../init-adduser => user/contents.d/init-services} | 0 6 files changed, 4 insertions(+), 2 deletions(-) rename root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/{base => init-mods-end} (100%) rename root/etc/s6-overlay/s6-rc.d/{init-os-end => init-services}/dependencies.d/init-custom-files (100%) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-services/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-services/up rename root/etc/s6-overlay/s6-rc.d/{init-custom-files/dependencies.d/init-adduser => user/contents.d/init-services} (100%) diff --git a/root/docker-mods b/root/docker-mods index c6e9c9b..77c2d08 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -56,7 +56,7 @@ process_custom_services() { cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-mods + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then @@ -77,7 +77,7 @@ process_custom_services() { cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-mods + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/base b/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-mods-end similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/base rename to root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-mods-end diff --git a/root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-custom-files b/root/etc/s6-overlay/s6-rc.d/init-services/dependencies.d/init-custom-files similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-os-end/dependencies.d/init-custom-files rename to root/etc/s6-overlay/s6-rc.d/init-services/dependencies.d/init-custom-files diff --git a/root/etc/s6-overlay/s6-rc.d/init-services/type b/root/etc/s6-overlay/s6-rc.d/init-services/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-services/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-services/up b/root/etc/s6-overlay/s6-rc.d/init-services/up new file mode 100644 index 0000000..a7c3905 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-services/up @@ -0,0 +1 @@ +# This file doesn't do anything, it just signals that services can start diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-services similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-adduser rename to root/etc/s6-overlay/s6-rc.d/user/contents.d/init-services From b7b477c8d6d2a8ccd8dcc6ccee5984282ef9743e Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 29 Jul 2022 17:05:19 +0100 Subject: [PATCH 24/60] Support universal mod package install --- .../dependencies.d/init-mods-package-install | 0 .../dependencies.d/init-mods | 0 .../s6-rc.d/init-mods-package-install/run | 35 +++++++++++++++++++ .../s6-rc.d/init-mods-package-install/type | 1 + .../s6-rc.d/init-mods-package-install/up | 1 + .../user/contents.d/init-mods-package-install | 0 6 files changed, 37 insertions(+) create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mods-package-install create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods create mode 100755 root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-package-install/type create mode 100644 root/etc/s6-overlay/s6-rc.d/init-mods-package-install/up create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-package-install diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mods-package-install b/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mods-package-install new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mods new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run new file mode 100755 index 0000000..295c22a --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -0,0 +1,35 @@ +#!/usr/bin/with-contenv bash + +if [ -f "/mod-repo-packages-to-install.list" ]; then + echo "**** Installing all mod packages ****" + if [ -f /usr/bin/apt ]; then + export DEBIAN_FRONTEND="noninteractive" + apt-get update + apt-get install -y --no-install-recommends \ + $(cat /mod-repo-packages-to-install.list) + elif [ -f /usr/bin/apk ]; then + apk add --no-cache \ + $(cat /mod-repo-packages-to-install.list) + fi +fi + +if [ -f "/mod-pip-packages-to-install.list" ]; then + echo "**** Installing all pip packages ****" + python3 -m pip install -U pip wheel setuptools + if [ -f /usr/bin/apt ]; then + PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/" + elif [ -f /usr/bin/apk ]; then + ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||') + if [ "${ALPINE_VER}" = "3.14" ]; then + PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/" + else + PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/" + fi + fi + python3 -m pip install ${PIP_ARGS} \ + $(cat /mod-pip-packages-to-install.list) +fi + +rm -rf \ + /mod-repo-packages-to-install.list \ + /mod-pip-packages-to-install.list diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/type b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/up b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/up new file mode 100644 index 0000000..fb63301 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-mods-package-install/run diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-package-install b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mods-package-install new file mode 100644 index 0000000..e69de29 From 34eee0995108e786d59c6f7ded067e6bb04e448b Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 3 Aug 2022 13:45:52 +0100 Subject: [PATCH 25/60] Fix apk path --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 295c22a..fb5b11d 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -7,7 +7,7 @@ if [ -f "/mod-repo-packages-to-install.list" ]; then apt-get update apt-get install -y --no-install-recommends \ $(cat /mod-repo-packages-to-install.list) - elif [ -f /usr/bin/apk ]; then + elif [ -f /sbin/apk ]; then apk add --no-cache \ $(cat /mod-repo-packages-to-install.list) fi @@ -18,7 +18,7 @@ if [ -f "/mod-pip-packages-to-install.list" ]; then python3 -m pip install -U pip wheel setuptools if [ -f /usr/bin/apt ]; then PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/" - elif [ -f /usr/bin/apk ]; then + elif [ -f /sbin/apk ]; then ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||') if [ "${ALPINE_VER}" = "3.14" ]; then PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/" From 9b753d06675b2a7441856276b8fcd01e2f4be213 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 27 Aug 2022 20:35:37 +0100 Subject: [PATCH 26/60] Fix migrations --- .../s6-overlay/s6-rc.d/init-migrations/run | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/run b/root/etc/s6-overlay/s6-rc.d/init-migrations/run index 5eef083..aaf084a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-migrations/run +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/run @@ -5,25 +5,25 @@ MIGRATIONS_HISTORY="/config/.migrations" echo "[migrations] started" -if [ ! -d $MIGRATIONS_DIR ]; then +if [[ ! -d ${MIGRATIONS_DIR} ]]; then echo "[migrations] no migrations found" - exit 0 + exit fi -for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do +for MIGRATION in $(find ${MIGRATIONS_DIR}/* | sort -n); do NAME="$(basename "${MIGRATION}")" - if [ -f $MIGRATIONS_HISTORY ] && grep -Fxq "$NAME" $MIGRATIONS_HISTORY; then + if [[ -f ${MIGRATIONS_HISTORY} ]] && grep -Fxq "${NAME}" ${MIGRATIONS_HISTORY}; then echo "[migrations] ${NAME}: skipped" continue fi echo "[migrations] ${NAME}: executing..." - chmod +x $MIGRATION - EXIT_CODE=$(/bin/bash ${MIGRATION}; echo $?) - if [ $EXIT_CODE -ne 0 ]; then - echo "[migrations] ${NAME}: failed with exit code $EXIT_CODE, contact support" - exit $EXIT_CODE + chmod +x "${MIGRATION}" + EXIT_CODE=$(/bin/bash "${MIGRATION}"; echo $?) + if [[ ${EXIT_CODE} -ne 0 ]]; then + echo "[migrations] ${NAME}: failed with exit code ${EXIT_CODE}, contact support" + exit "${EXIT_CODE}" fi - echo $NAME >> $MIGRATIONS_HISTORY + echo "${NAME}" >> ${MIGRATIONS_HISTORY} echo "[migrations] ${NAME}: succeeded" done From 7519dd8f9702e184457d735006bda479c7b5a8cd Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 12:55:22 +0100 Subject: [PATCH 27/60] Integrate changes from Edge PR #123 --- root/docker-mods | 370 +++++++++--------- root/etc/s6-overlay/s6-rc.d/init-adduser/run | 5 +- .../s6-overlay/s6-rc.d/init-custom-files/run | 70 ++-- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 29 +- .../s6-overlay/s6-rc.d/init-migrations/run | 38 +- .../s6-rc.d/init-mods-package-install/run | 23 +- .../s6-overlay/s6-rc.d/init-script-check/run | 7 +- root/usr/bin/with-contenv | 12 +- 8 files changed, 285 insertions(+), 269 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 77c2d08..9217c73 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -1,221 +1,215 @@ #!/usr/bin/with-contenv bash - -#shellcheck disable=SC2120 +# shellcheck shell=bash # Set executable bit on cont-init and services built into the image -set_legacy_executable_bits () { - mkdir -p /etc/{cont-init.d,services.d} - chmod +x \ - /etc/cont-init.d/* \ - /etc/services.d/*/* 2> /dev/null || true +set_legacy_executable_bits() { + mkdir -p /etc/{cont-init.d,services.d} + chmod +x \ + /etc/cont-init.d/* \ + /etc/services.d/*/* 2>/dev/null || true } # Tamper check legacy custom service locations -tamper_check () { - if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" - echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" - echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-services.d - chown 0:0 /config/custom-services.d - elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi +tamper_check() { + if [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d ! -user root)" ]]; then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$( + tr /dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* - fi + # Remove all existing custom services before continuing to ensure + # we aren't running anything the user may have removed + if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + fi - if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - echo "[custom-init] no custom services found, skipping..." - return - fi + if [[ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]] && + [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] no custom services found, skipping..." + return + fi - # Make sure custom service directory exists and has files in it - if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + # Make sure custom service directory exists and has files in it + if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi + for SERVICE in "${SERVICES_DIR}"/*; do + NAME="$(basename "${SERVICE}")" + if [[ -f "${SERVICE}" ]]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services + touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" + echo "[custom-init] ${NAME}: copied" + elif [[ ! -f "${SERVICE}" ]]; then + echo "[custom-init] ${NAME}: is not a file" + fi done - fi - fi + fi - if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" - for SERVICE in ${SERVICES_DIR_OLD}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi + for SERVICE in "${SERVICES_DIR_OLD}"/*; do + NAME="$(basename "${SERVICE}")" + if [[ -f "${SERVICE}" ]]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services + touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" + echo "[custom-init] ${NAME}: copied" + elif [[ ! -f "${SERVICE}" ]]; then + echo "[custom-init] ${NAME}: is not a file" + fi done - fi - fi + fi } # Check for curl -curl_check () { - if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then - echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" - if [ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - curl \ - jq - elif [ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - curl \ - jq +curl_check() { + if [[ ! -f /usr/bin/curl ]] || [[ ! -f /usr/bin/jq ]]; then + echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" + if [[ -f /usr/bin/apt ]]; then + ## Ubuntu + apt-get update + apt-get install --no-install-recommends -y \ + curl \ + jq + elif [[ -f /sbin/apk ]]; then + # Alpine + apk add --no-cache \ + curl \ + jq + fi fi - fi } # Use different filtering depending on URL -get_blob_sha () { - if [[ $1 == "ghcr" ]]; then - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer $2" \ - $3 | jq -r '.layers[0].digest' - else - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer $2" \ - $3 | jq -r '.fsLayers[0].blobSum' - fi +get_blob_sha() { + if [[ $1 == "ghcr" ]]; then + curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Authorization: Bearer $2" \ + "$3" | jq -r '.layers[0].digest' + else + curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --location \ + --request GET \ + --header "Authorization: Bearer $2" \ + "$3" | jq -r '.fsLayers[0].blobSum' + fi } # Main run logic -run_mods () { - echo "[mod-init] Attempting to run Docker Modification Logic" - IFS='|' - DOCKER_MODS=(${DOCKER_MODS}) - for DOCKER_MOD in "${DOCKER_MODS[@]}"; do - # Support alternative endpoints - if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then - DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" - MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" - MODE="ghcr" - else - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" - MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" - MODE="dockerhub" - fi - # Kill off modification logic if any of the usernames are banned - BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) - IFS=$'\n' - BLACKLIST=(${BLACKLIST}) - for BANNED in "${BLACKLIST[@]}"; do - if [ "${BANNED}" == "${USERNAME,,}" ]; then - if [ -z ${RUN_BANNED_MODS+x} ]; then - echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" - return +run_mods() { + echo "[mod-init] Attempting to run Docker Modification Logic" + for DOCKER_MOD in $(echo "${DOCKER_MODS}" | tr '|' '\n'); do + # Support alternative endpoints + if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then + DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" + fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" + MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" + MODE="ghcr" else - echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" + fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" + MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" + MODE="dockerhub" + fi + # Kill off modification logic if any of the usernames are banned + for BANNED in $(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt); do + if [[ "${BANNED,,}" == "${USERNAME,,}" ]]; then + if [[ -z ${RUN_BANNED_MODS+x} ]]; then + echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" + return + else + echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" + fi + fi + done + echo "[mod-init] Applying ${DOCKER_MOD} files to container" + # Get Dockerhub token for api operations + TOKEN="$( + curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --header 'GET' \ + "${AUTH_URL}" | + jq -r '.token' + )" + # Determine first and only layer of image + SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") + # Check if we have allready applied this layer + if [[ -f "/${FILENAME}" ]] && [[ "${SHALAYER}" == "$(cat /"${FILENAME}")" ]]; then + echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" + else + # Download and extract layer to / + curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ + --silent \ + --location \ + --request GET \ + --header "Authorization: Bearer ${TOKEN}" \ + "${BLOB_URL}${SHALAYER}" -o \ + /modtarball.tar.xz + mkdir -p /tmp/mod + tar xzf /modtarball.tar.xz -C /tmp/mod + if [[ -d /tmp/mod/etc/s6-overlay ]]; then + if [[ -d /tmp/mod/etc/cont-init.d ]]; then + rm -rf /tmp/mod/etc/cont-init.d + fi + if [[ -d /tmp/mod/etc/services.d ]]; then + rm -rf /tmp/mod/etc/services.d + fi + fi + shopt -s dotglob + cp -R /tmp/mod/* / + shopt -u dotglob + rm -rf /tmp/mod + rm -rf /modtarball.tar.xz + echo "${SHALAYER}" >"/${FILENAME}" + echo "[mod-init] ${DOCKER_MOD} applied to container" fi - fi done - echo "[mod-init] Applying ${DOCKER_MOD} files to container" - # Get Dockerhub token for api operations - TOKEN="$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --header 'GET' \ - "${AUTH_URL}" \ - | jq -r '.token' \ - )" - # Determine first and only layer of image - SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") - # Check if we have allready applied this layer - if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then - echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" - else - # Download and extract layer to / - curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer ${TOKEN}" \ - "${BLOB_URL}${SHALAYER}" -o \ - /modtarball.tar.xz - mkdir -p /tmp/mod - tar xzf /modtarball.tar.xz -C /tmp/mod - if [ -d /tmp/mod/etc/s6-overlay ]; then - if [ -d /tmp/mod/etc/cont-init.d ]; then - rm -rf /tmp/mod/etc/cont-init.d - fi - if [ -d /tmp/mod/etc/services.d ]; then - rm -rf /tmp/mod/etc/services.d - fi - fi - shopt -s dotglob - cp -R /tmp/mod/* / - shopt -u dotglob - rm -rf /tmp/mod - rm -rf /modtarball.tar.xz - echo ${SHALAYER} > "/${FILENAME}" - echo "[mod-init] ${DOCKER_MOD} applied to container" - fi - done } # Tamper check legacy services @@ -225,7 +219,7 @@ tamper_check process_custom_services # Run mod logic -if [ -n "${DOCKER_MODS+x}" ]; then +if [[ -n "${DOCKER_MODS+x}" ]]; then curl_check run_mods fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run index 1cbae76..a619c4f 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-adduser/run +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash PUID=${PUID:-911} PGID=${PGID:-911} @@ -37,7 +38,7 @@ User gid: $(id -g abc) time32="$(date +%Y)" if [[ "${time32}" == "1970" || "${time32}" == "1969" ]] && [ "$(uname -m)" == "armv7l" ]; then - echo ' + echo ' @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Your DockerHost is running an outdated version of libseccomp @@ -48,7 +49,7 @@ Apps will not behave correctly without this @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ' -sleep infinity + sleep infinity fi chown abc:abc /app diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index 68f4291..fb249c6 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Directories SCRIPTS_DIR_OLD="/config/custom-cont-init.d" @@ -6,51 +7,64 @@ SCRIPTS_DIR="/custom-cont-init.d" SERVICES_DIR_OLD="/config/custom-services.d" +# Tamper check legacy custom script locations +if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$( + tr /dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then +if [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]] && + [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then echo "[custom-init] no custom files found, skipping..." exit 0 fi # Make sure custom init directory exists and has files in it -if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then - echo "[custom-init] files found, executing" - for SCRIPT in ${SCRIPTS_DIR}/*; do +if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then + echo "[custom-init] files found, executing" + for SCRIPT in "${SCRIPTS_DIR}"/*; do NAME="$(basename "${SCRIPT}")" - if [ -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: executing..." - /bin/bash "${SCRIPT}" - echo "[custom-init] ${NAME}: exited $?" - elif [ ! -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: is not a file" + if [[ -f "${SCRIPT}" ]]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [[ ! -f "${SCRIPT}" ]]; then + echo "[custom-init] ${NAME}: is not a file" fi - done - fi + done fi -if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; then - echo "[custom-init] files found, executing" - for SCRIPT in ${SCRIPTS_DIR_OLD}/*; do +if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] files found, executing" + for SCRIPT in "${SCRIPTS_DIR_OLD}"/*; do NAME="$(basename "${SCRIPT}")" - if [ -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: executing..." - /bin/bash "${SCRIPT}" - echo "[custom-init] ${NAME}: exited $?" - elif [ ! -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: is not a file" + if [[ -f "${SCRIPT}" ]]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [[ ! -f "${SCRIPT}" ]]; then + echo "[custom-init] ${NAME}: is not a file" fi - done - fi + done fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 32e2450..52560a5 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -1,16 +1,17 @@ -#! /bin/bash +#!/usr/bin/with-contenv bash +# shellcheck shell=bash -if [[ "$(ls /var/run/s6/container_environment/ | xargs)" == *"FILE__"* ]]; then - for FILENAME in /var/run/s6/container_environment/*; do - if [[ "${FILENAME##*/}" == "FILE__"* ]]; then - SECRETFILE=$(cat ${FILENAME}) - if [[ -f ${SECRETFILE} ]]; then - FILESTRIP=${FILENAME//FILE__/} - cat ${SECRETFILE} > ${FILESTRIP} - echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}" - else - echo "[env-init] cannot find secret in ${FILENAME##*/}" - fi - fi - done +if [[ "$(find /var/run/s6/container_environment/ -maxdepth 1 -print0 | xargs)" == *"FILE__"* ]]; then + for FILENAME in /var/run/s6/container_environment/*; do + if [[ "${FILENAME##*/}" == "FILE__"* ]]; then + SECRETFILE=$(cat "${FILENAME}") + if [[ -f ${SECRETFILE} ]]; then + FILESTRIP=${FILENAME//FILE__/} + cat "${SECRETFILE}" >"${FILESTRIP}" + echo "[env-init] ${FILESTRIP##*/} set from ${FILENAME##*/}" + else + echo "[env-init] cannot find secret in ${FILENAME##*/}" + fi + fi + done fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/run b/root/etc/s6-overlay/s6-rc.d/init-migrations/run index aaf084a..ff0874b 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-migrations/run +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/run @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/with-contenv bash +# shellcheck shell=bash MIGRATIONS_DIR="/migrations" MIGRATIONS_HISTORY="/config/.migrations" @@ -6,25 +7,28 @@ MIGRATIONS_HISTORY="/config/.migrations" echo "[migrations] started" if [[ ! -d ${MIGRATIONS_DIR} ]]; then - echo "[migrations] no migrations found" - exit + echo "[migrations] no migrations found" + exit fi for MIGRATION in $(find ${MIGRATIONS_DIR}/* | sort -n); do - NAME="$(basename "${MIGRATION}")" - if [[ -f ${MIGRATIONS_HISTORY} ]] && grep -Fxq "${NAME}" ${MIGRATIONS_HISTORY}; then - echo "[migrations] ${NAME}: skipped" - continue - fi - echo "[migrations] ${NAME}: executing..." - chmod +x "${MIGRATION}" - EXIT_CODE=$(/bin/bash "${MIGRATION}"; echo $?) - if [[ ${EXIT_CODE} -ne 0 ]]; then - echo "[migrations] ${NAME}: failed with exit code ${EXIT_CODE}, contact support" - exit "${EXIT_CODE}" - fi - echo "${NAME}" >> ${MIGRATIONS_HISTORY} - echo "[migrations] ${NAME}: succeeded" + NAME="$(basename "${MIGRATION}")" + if [[ -f ${MIGRATIONS_HISTORY} ]] && grep -Fxq "${NAME}" ${MIGRATIONS_HISTORY}; then + echo "[migrations] ${NAME}: skipped" + continue + fi + echo "[migrations] ${NAME}: executing..." + chmod +x "${MIGRATION}" + EXIT_CODE=$( + /bin/bash "${MIGRATION}" + echo $? + ) + if [[ ${EXIT_CODE} -ne 0 ]]; then + echo "[migrations] ${NAME}: failed with exit code ${EXIT_CODE}, contact support" + exit "${EXIT_CODE}" + fi + echo "${NAME}" >>${MIGRATIONS_HISTORY} + echo "[migrations] ${NAME}: succeeded" done echo "[migrations] done" diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index fb5b11d..1dd4fde 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -1,33 +1,34 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash -if [ -f "/mod-repo-packages-to-install.list" ]; then +if [[ -f "/mod-repo-packages-to-install.list" ]]; then echo "**** Installing all mod packages ****" - if [ -f /usr/bin/apt ]; then + if [[ -f /usr/bin/apt ]]; then export DEBIAN_FRONTEND="noninteractive" apt-get update apt-get install -y --no-install-recommends \ - $(cat /mod-repo-packages-to-install.list) - elif [ -f /sbin/apk ]; then + "$(cat /mod-repo-packages-to-install.list)" + elif [[ -f /sbin/apk ]]; then apk add --no-cache \ - $(cat /mod-repo-packages-to-install.list) + "$(cat /mod-repo-packages-to-install.list)" fi fi -if [ -f "/mod-pip-packages-to-install.list" ]; then +if [[ -f "/mod-pip-packages-to-install.list" ]]; then echo "**** Installing all pip packages ****" python3 -m pip install -U pip wheel setuptools - if [ -f /usr/bin/apt ]; then + if [[ -f /usr/bin/apt ]]; then PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/" - elif [ -f /sbin/apk ]; then + elif [[ -f /sbin/apk ]]; then ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||') - if [ "${ALPINE_VER}" = "3.14" ]; then + if [[ "${ALPINE_VER}" = "3.14" ]]; then PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/" else PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/" fi fi - python3 -m pip install ${PIP_ARGS} \ - $(cat /mod-pip-packages-to-install.list) + python3 -m pip install "${PIP_ARGS}" \ + "$(cat /mod-pip-packages-to-install.list)" fi rm -rf \ diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index e13d6d0..35d4c7a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -1,12 +1,13 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # This doesn't do anything yet exit 0 -if { [ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]; } && \ - { [ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]; }; then -cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null +if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] && + [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then + cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null ******************************************************** ******************************************************** * * diff --git a/root/usr/bin/with-contenv b/root/usr/bin/with-contenv index 212d908..e47468c 100755 --- a/root/usr/bin/with-contenv +++ b/root/usr/bin/with-contenv @@ -1,9 +1,9 @@ -#! /bin/bash +#!/bin/bash -if [[ -f /var/run/s6/container_environment/UMASK ]] && \ - { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] || \ - [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] || \ - [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then - umask $(cat /var/run/s6/container_environment/UMASK) +if [[ -f /var/run/s6/container_environment/UMASK ]] && + { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] || + [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] || + [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then + umask "$(cat /var/run/s6/container_environment/UMASK)" fi exec /command/with-contenv "$@" From ec2e9b7ac07789486e4aa32195190b9b475dfc8a Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 12:57:13 +0100 Subject: [PATCH 28/60] Bump s6 to 3.1.2.0, replace patch with STAGE2_HOOK, reduce logging level --- Dockerfile | 10 ++++------ Dockerfile.aarch64 | 10 ++++------ Dockerfile.armhf | 10 ++++------ .../etc/s6-linux-init/skel/rc.init.patch | 11 ----------- 4 files changed, 12 insertions(+), 29 deletions(-) delete mode 100644 patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch diff --git a/Dockerfile b/Dockerfile index 063595d..7e3ca93 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.0.1" +ARG S6_OVERLAY_VERSION="3.1.2.0" ARG S6_OVERLAY_ARCH="x86_64" # add s6 overlay @@ -54,10 +54,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz # copy ci-checks COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d -# patch cont-init for docker-mods -COPY patch/ /tmp/patch -RUN patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / @@ -70,7 +66,9 @@ LABEL maintainer="TheLamer" ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ TERM="xterm" \ -S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \ +S6_VERBOSITY=1 \ +S6_STAGE2_HOOK=/docker-mods RUN \ echo "**** install runtime packages ****" && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 03c98fd..816e517 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.0.1" +ARG S6_OVERLAY_VERSION="3.2.0.0" ARG S6_OVERLAY_ARCH="aarch64" # add s6 overlay @@ -54,10 +54,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz # copy ci-checks COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d -# patch cont-init for docker-mods -COPY patch/ /tmp/patch -RUN patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / @@ -70,7 +66,9 @@ LABEL maintainer="TheLamer" ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ TERM="xterm" \ -S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \ +S6_VERBOSITY=1 \ +S6_STAGE2_HOOK=/docker-mods RUN \ echo "**** install runtime packages ****" && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index e46f1f3..ee52624 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.0.1" +ARG S6_OVERLAY_VERSION="3.1.2.0" ARG S6_OVERLAY_ARCH="armhf" # add s6 overlay @@ -54,10 +54,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz # copy ci-checks COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d -# patch cont-init for docker-mods -COPY patch/ /tmp/patch -RUN patch -u /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-linux-init/skel/rc.init -i /tmp/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / @@ -70,7 +66,9 @@ LABEL maintainer="TheLamer" ENV PS1="$(whoami)@$(hostname):$(pwd)\\$ " \ HOME="/root" \ TERM="xterm" \ -S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" +S6_CMD_WAIT_FOR_SERVICES_MAXTIME="0" \ +S6_VERBOSITY=1 \ +S6_STAGE2_HOOK=/docker-mods RUN \ echo "**** install runtime packages ****" && \ diff --git a/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch b/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch deleted file mode 100644 index b01a7f0..0000000 --- a/patch/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- rc.init 2022-05-20 17:41:11.195721000 -0500 -+++ rc.init.patched 2022-05-20 17:41:37.646586700 -0500 -@@ -6,6 +6,8 @@ - s6-chmod 0755 /run/s6/container_environment - fi - -+/docker-mods -+ - if profile=`printcontenv S6_RUNTIME_PROFILE` ; then - etc="/etc/cont-profile.d/$profile" - else From 4f4d98821170a70c94c58da37cc69de2df8bcb2c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 13:02:55 +0100 Subject: [PATCH 29/60] Fix incorrect S6 version --- Dockerfile.aarch64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 816e517..91a55a0 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.2.0.0" +ARG S6_OVERLAY_VERSION="3.1.2.0" ARG S6_OVERLAY_ARCH="aarch64" # add s6 overlay From e0fd8cb9645db7cf27990ab9b12d13d613219a94 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 16:07:23 +0100 Subject: [PATCH 30/60] Expand tamper check and enable custom files warning --- root/docker-mods | 28 +++++++++++++------ .../s6-overlay/s6-rc.d/init-custom-files/run | 10 ++++++- .../s6-overlay/s6-rc.d/init-script-check/run | 4 --- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 9217c73..17aa908 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -9,21 +9,31 @@ set_legacy_executable_bits() { /etc/services.d/*/* 2>/dev/null || true } -# Tamper check legacy custom service locations +# Tamper check custom service locations tamper_check() { - if [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d ! -user root)" ]]; then + SERVICES_DIR_OLD="/config/custom-services.d" + SERVICES_DIR="/custom-services.d" + if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then echo "**** Potential tampering with custom scripts detected ****" randstr=$( tr /dev/null)" ]] && [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null From 9c126e46cc8675d67cc3988ea144c3084cdd4ec3 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 16:24:18 +0100 Subject: [PATCH 31/60] Use user2 bundle instead of top hack for ci-check --- Dockerfile | 3 --- Dockerfile.aarch64 | 3 --- Dockerfile.armhf | 3 --- .../s6-rc.d/99-ci-service-check/dependencies.d/legacy-services | 0 .../s6-overlay/s6-rc.d/user2/contents.d}/99-ci-service-check | 0 5 files changed, 9 deletions(-) delete mode 100644 root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/legacy-services rename {ci-check => root/etc/s6-overlay/s6-rc.d/user2/contents.d}/99-ci-service-check (100%) diff --git a/Dockerfile b/Dockerfile index 7e3ca93..9ec70c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,9 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz -# copy ci-checks -COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 91a55a0..558bd70 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -51,9 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz -# copy ci-checks -COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / diff --git a/Dockerfile.armhf b/Dockerfile.armhf index ee52624..7c107b2 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -51,9 +51,6 @@ RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz -# copy ci-checks -COPY ci-check/ /root-out/package/admin/s6-overlay-${S6_OVERLAY_VERSION}/etc/s6-rc/sources/top/contents.d - # Runtime stage FROM scratch COPY --from=rootfs-stage /root-out/ / diff --git a/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/legacy-services b/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/legacy-services deleted file mode 100644 index e69de29..0000000 diff --git a/ci-check/99-ci-service-check b/root/etc/s6-overlay/s6-rc.d/user2/contents.d/99-ci-service-check similarity index 100% rename from ci-check/99-ci-service-check rename to root/etc/s6-overlay/s6-rc.d/user2/contents.d/99-ci-service-check From 00cc255a452d0b73590ecf89ccc4c4b18e4fd6d4 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 17:48:09 +0100 Subject: [PATCH 32/60] Fix trigger logic --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 09120e8..88767bc 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] && +if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null ******************************************************** From 7b8515c27eec6c1e914a0896bec936ea68fbdf7f Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 17:51:23 +0100 Subject: [PATCH 33/60] Add link to script check banner --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 88767bc..9c6c619 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -14,6 +14,8 @@ if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || * to /custom-cont-init.d and /custom-services.d * * respectively to ensure they continue working. * * * + * Visit https://linuxserver.io/custom for more info. * + * * ******************************************************** ******************************************************** EOF From ea7f9dddffe101294d6009770e76a4cddc18bd3c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 18:12:20 +0100 Subject: [PATCH 34/60] Standardise logic so it works cross-distro --- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 52560a5..1b9991a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if [[ "$(find /var/run/s6/container_environment/ -maxdepth 1 -print0 | xargs)" == *"FILE__"* ]]; then +if [[ "$(find /var/run/s6/container_environment/*"FILE__"* -maxdepth 1 2>/dev/null)" ]]; then for FILENAME in /var/run/s6/container_environment/*; do if [[ "${FILENAME##*/}" == "FILE__"* ]]; then SECRETFILE=$(cat "${FILENAME}") From 10d77113b50e0757447dbbb8b2779222ad11d226 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 18:37:38 +0100 Subject: [PATCH 35/60] Simplify if logic --- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 1b9991a..3040a92 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if [[ "$(find /var/run/s6/container_environment/*"FILE__"* -maxdepth 1 2>/dev/null)" ]]; then +if find /var/run/s6/container_environment/*"FILE__"* -maxdepth 1 > /dev/null 2>&1; then for FILENAME in /var/run/s6/container_environment/*; do if [[ "${FILENAME##*/}" == "FILE__"* ]]; then SECRETFILE=$(cat "${FILENAME}") From 7f8d1425529e380739292bf985fe29e712a7d19c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 20:20:28 +0100 Subject: [PATCH 36/60] Fix script check exit code --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 1 + 1 file changed, 1 insertion(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 9c6c619..dc2ee8b 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -20,3 +20,4 @@ if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || ******************************************************** EOF fi +exit 0 From 5eb25b8357da83fd5fd7f8ddb55fe8d11b4f28c5 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 28 Aug 2022 20:30:30 +0100 Subject: [PATCH 37/60] Fix tamper check for custom files --- root/docker-mods | 32 +++++++++++++++++-- .../s6-overlay/s6-rc.d/init-custom-files/run | 25 --------------- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 17aa908..1ce68d2 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -9,10 +9,38 @@ set_legacy_executable_bits() { /etc/services.d/*/* 2>/dev/null || true } -# Tamper check custom service locations tamper_check() { + SCRIPTS_DIR_OLD="/config/custom-cont-init.d" + SCRIPTS_DIR="/custom-cont-init.d" SERVICES_DIR_OLD="/config/custom-services.d" - SERVICES_DIR="/custom-services.d" + SERVICES_DIR="/custom-services.d" + + # Tamper check custom script locations + if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$( + tr Date: Sun, 28 Aug 2022 23:17:13 +0100 Subject: [PATCH 38/60] Fix custom script banner tee --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index dc2ee8b..74b73e7 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -3,7 +3,7 @@ if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then - cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null + cat << EOF | tee {/config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt} 2>/dev/null ******************************************************** ******************************************************** * * From 0e554393861e7915260341699b0a931debc61bb2 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Mon, 29 Aug 2022 23:06:06 +0100 Subject: [PATCH 39/60] Bump s6 to 3.1.2.1 to fix regression --- Dockerfile | 2 +- Dockerfile.aarch64 | 2 +- Dockerfile.armhf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9ec70c6..e73a8c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.2.0" +ARG S6_OVERLAY_VERSION="3.1.2.1" ARG S6_OVERLAY_ARCH="x86_64" # add s6 overlay diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 558bd70..4bb7c91 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.2.0" +ARG S6_OVERLAY_VERSION="3.1.2.1" ARG S6_OVERLAY_ARCH="aarch64" # add s6 overlay diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 7c107b2..02336c7 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -36,7 +36,7 @@ RUN \ sed -i -e 's/^root::/root:!:/' /root-out/etc/shadow # set version for s6 overlay -ARG S6_OVERLAY_VERSION="3.1.2.0" +ARG S6_OVERLAY_VERSION="3.1.2.1" ARG S6_OVERLAY_ARCH="armhf" # add s6 overlay From ef5ebc65e4bc2d774f95ae56ae8013ebc134f29f Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 2 Sep 2022 11:03:21 +0100 Subject: [PATCH 40/60] Fix custom service logic --- root/docker-mods | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 1ce68d2..5dd88a4 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -91,12 +91,11 @@ process_custom_services() { NAME="$(basename "${SERVICE}")" if [[ -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [[ ! -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: is not a file" @@ -110,12 +109,11 @@ process_custom_services() { NAME="$(basename "${SERVICE}")" if [[ -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [[ ! -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: is not a file" From 6e7eb8a8d3f33719be5f951ff437e8c7800d3cbc Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 3 Sep 2022 11:14:44 +0100 Subject: [PATCH 41/60] Add custom services to user bundle --- root/docker-mods | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/docker-mods b/root/docker-mods index 5dd88a4..64d7082 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -96,6 +96,7 @@ process_custom_services() { chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services + touch /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [[ ! -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: is not a file" @@ -114,6 +115,7 @@ process_custom_services() { chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services + touch /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-"${NAME}" echo "[custom-init] ${NAME}: copied" elif [[ ! -f "${SERVICE}" ]]; then echo "[custom-init] ${NAME}: is not a file" From 696a16f01be3476eb1aab06ab8e1f0e8c83ae9d3 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 3 Sep 2022 13:32:38 +0100 Subject: [PATCH 42/60] Set noninteractive for apt --- root/docker-mods | 1 + 1 file changed, 1 insertion(+) diff --git a/root/docker-mods b/root/docker-mods index 64d7082..9b1faa0 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -130,6 +130,7 @@ curl_check() { echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" if [[ -f /usr/bin/apt ]]; then ## Ubuntu + export DEBIAN_FRONTEND="noninteractive" apt-get update apt-get install --no-install-recommends -y \ curl \ From 82d4508817c3719948c7b537419cd72b03a56d8e Mon Sep 17 00:00:00 2001 From: TheSpad Date: Mon, 5 Sep 2022 17:07:57 +0100 Subject: [PATCH 43/60] Rework legacy custom file handling --- root/docker-mods | 113 ++++++++++-------- .../s6-overlay/s6-rc.d/init-custom-files/run | 23 ++-- .../s6-overlay/s6-rc.d/init-script-check/run | 28 ++--- 3 files changed, 91 insertions(+), 73 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 9b1faa0..4f6f050 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -10,11 +10,25 @@ set_legacy_executable_bits() { } tamper_check() { - SCRIPTS_DIR_OLD="/config/custom-cont-init.d" - SCRIPTS_DIR="/custom-cont-init.d" - SERVICES_DIR_OLD="/config/custom-services.d" - SERVICES_DIR="/custom-services.d" + #Tamper check custom service locations + if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then + echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****" + echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then + echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****" + echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + fi + #Tamper check custom script locations + if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then + echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****" + echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then + echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****" + echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + fi +} +tamper_check_legacy() { # Tamper check custom script locations if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then echo "**** Potential tampering with custom scripts detected ****" @@ -23,54 +37,30 @@ tamper_check() { echo ) mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}" - echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****" - echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p ${SCRIPTS_DIR_OLD} - chown 0:0 ${SCRIPTS_DIR_OLD} + echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****" + echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then - echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi - - if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then - echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then - echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" + echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi # Tamper check custom service locations if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then - echo "**** Potential tampering with custom scripts detected ****" + echo "[custom-init] **** Potential tampering with custom scripts detected ****" randstr=$( tr /dev/null)" ]]; then @@ -78,15 +68,9 @@ process_custom_services() { rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* fi - if [[ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]] && - [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] no custom services found, skipping..." - return - fi - # Make sure custom service directory exists and has files in it if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" + echo "[custom-init] Service files found in ${SERVICES_DIR}" for SERVICE in "${SERVICES_DIR}"/*; do NAME="$(basename "${SERVICE}")" if [[ -f "${SERVICE}" ]]; then @@ -104,8 +88,25 @@ process_custom_services() { done fi + # Remove legacy folder if it's empty + if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..." + rm -rf "${SERVICES_DIR_OLD}" + fi +} + +process_custom_services_legacy() { + + # Remove all existing custom services before continuing to ensure + # we aren't running anything the user may have removed + if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + fi + + # Make sure custom service directory exists and has files in it if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + echo "[custom-init] Service files found in ${SERVICES_DIR_OLD}" for SERVICE in "${SERVICES_DIR_OLD}"/*; do NAME="$(basename "${SERVICE}")" if [[ -f "${SERVICE}" ]]; then @@ -121,6 +122,9 @@ process_custom_services() { echo "[custom-init] ${NAME}: is not a file" fi done + elif [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..." + rm -rf "${SERVICES_DIR_OLD}" fi } @@ -251,11 +255,22 @@ run_mods() { done } -# Tamper check legacy services -tamper_check +# Main script loop -# Process any custom services -process_custom_services +SCRIPTS_DIR_OLD="/config/custom-cont-init.d" +SCRIPTS_DIR="/custom-cont-init.d" +SERVICES_DIR_OLD="/config/custom-services.d" +SERVICES_DIR="/custom-services.d" + +if [ ! -d "/custom-cont-init.d" ] && [ ! -d "/custom-services.d" ]; then + # Tamper check legacy custom folders + tamper_check_legacy + process_custom_services_legacy +else + # Tamper check new custom folders + tamper_check + process_custom_services +fi # Run mod logic if [[ -n "${DOCKER_MODS+x}" ]]; then diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index a202b5b..de28df5 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -17,15 +17,9 @@ if [[ -e "${SERVICES_DIR_OLD}" ]]; then chown -R 0:0 "${SERVICES_DIR_OLD}" fi -if [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]] && - [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] no custom files found, skipping..." - exit 0 -fi - # Make sure custom init directory exists and has files in it if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then - echo "[custom-init] files found, executing" + echo "[custom-init] Files found, executing" for SCRIPT in "${SCRIPTS_DIR}"/*; do NAME="$(basename "${SCRIPT}")" if [[ -f "${SCRIPT}" ]]; then @@ -36,10 +30,14 @@ if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" echo "[custom-init] ${NAME}: is not a file" fi done -fi -if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] files found, executing" + # Remove legacy folder if it's empty + if [[ -e "${SCRIPTS_DIR}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then + echo "[custom-init] Legacy service folder ${SCRIPTS_DIR} is empty, deleting..." + rm -rf "${SCRIPTS_DIR}" + fi +elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] Files found, executing" for SCRIPT in "${SCRIPTS_DIR_OLD}"/*; do NAME="$(basename "${SCRIPT}")" if [[ -f "${SCRIPT}" ]]; then @@ -50,4 +48,9 @@ if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/de echo "[custom-init] ${NAME}: is not a file" fi done +elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] Legacy files folder ${SCRIPTS_DIR_OLD} is empty, deleting..." + rm -rf "${SCRIPTS_DIR_OLD}" +else + echo "[custom-init] No custom files found, skipping..." fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index 74b73e7..e20e12f 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -4,20 +4,20 @@ if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then cat << EOF | tee {/config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt} 2>/dev/null - ******************************************************** - ******************************************************** - * * - * !!!! * - * Custom scripts or services found in legacy locations * - * !!!! * - * Please move your custom scripts and services * - * to /custom-cont-init.d and /custom-services.d * - * respectively to ensure they continue working. * - * * - * Visit https://linuxserver.io/custom for more info. * - * * - ******************************************************** - ******************************************************** +******************************************************** +******************************************************** +* * +* !!!! * +* Custom scripts or services found in legacy locations * +* !!!! * +* Please move your custom scripts and services * +* to /custom-cont-init.d and /custom-services.d * +* respectively to ensure they continue working. * +* * +* Visit https://linuxserver.io/custom for more info. * +* * +******************************************************** +******************************************************** EOF fi exit 0 From 261c0b7c506128db411cafec418ca5de345c2e7e Mon Sep 17 00:00:00 2001 From: TheSpad Date: Mon, 5 Sep 2022 17:14:17 +0100 Subject: [PATCH 44/60] Add note if no custom services found --- root/docker-mods | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index 4f6f050..97949a6 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -86,6 +86,8 @@ process_custom_services() { echo "[custom-init] ${NAME}: is not a file" fi done + else + echo "[custom-init] No custom services found, skipping..." fi # Remove legacy folder if it's empty @@ -122,7 +124,12 @@ process_custom_services_legacy() { echo "[custom-init] ${NAME}: is not a file" fi done - elif [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then + else + echo "[custom-init] No custom services found, skipping..." + fi + + # Remove legacy folder if it's empty + if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..." rm -rf "${SERVICES_DIR_OLD}" fi From fd0e34c1f5cda66b3233652b815d97857d6476c5 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Mon, 5 Sep 2022 21:55:22 +0100 Subject: [PATCH 45/60] Allow word splitting --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 1dd4fde..38ac72a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -7,10 +7,10 @@ if [[ -f "/mod-repo-packages-to-install.list" ]]; then export DEBIAN_FRONTEND="noninteractive" apt-get update apt-get install -y --no-install-recommends \ - "$(cat /mod-repo-packages-to-install.list)" + $(cat /mod-repo-packages-to-install.list) elif [[ -f /sbin/apk ]]; then apk add --no-cache \ - "$(cat /mod-repo-packages-to-install.list)" + $(cat /mod-repo-packages-to-install.list) fi fi @@ -28,7 +28,7 @@ if [[ -f "/mod-pip-packages-to-install.list" ]]; then fi fi python3 -m pip install "${PIP_ARGS}" \ - "$(cat /mod-pip-packages-to-install.list)" + $(cat /mod-pip-packages-to-install.list) fi rm -rf \ From 12eda7a8314c3ba5b4b3b1f9ad50e2e197ef4015 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Mon, 5 Sep 2022 22:32:03 +0100 Subject: [PATCH 46/60] Fix pip args --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 38ac72a..9b935b9 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -27,7 +27,7 @@ if [[ -f "/mod-pip-packages-to-install.list" ]]; then PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/" fi fi - python3 -m pip install "${PIP_ARGS}" \ + python3 -m pip install ${PIP_ARGS} \ $(cat /mod-pip-packages-to-install.list) fi From fe11b1ded7fdaac2bfea625ab52cea101ac90d6d Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 6 Sep 2022 09:44:57 +0100 Subject: [PATCH 47/60] Fix package install logic --- .../s6-rc.d/init-mods-package-install/run | 50 +++++++++++-------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 9b935b9..8bfe1f0 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -2,33 +2,41 @@ # shellcheck shell=bash if [[ -f "/mod-repo-packages-to-install.list" ]]; then - echo "**** Installing all mod packages ****" - if [[ -f /usr/bin/apt ]]; then - export DEBIAN_FRONTEND="noninteractive" - apt-get update - apt-get install -y --no-install-recommends \ - $(cat /mod-repo-packages-to-install.list) - elif [[ -f /sbin/apk ]]; then - apk add --no-cache \ - $(cat /mod-repo-packages-to-install.list) + IFS=' ' read -ra REPO_PACKAGES <<< "$(cat /mod-repo-packages-to-install.list)" + if [[ ${#REPO_PACKAGES[@]} -ne 0 ]] && [[ ${REPO_PACKAGES[*]} != "" ]]; then + echo "**** Installing all mod packages ****" + if [[ -f /usr/bin/apt ]]; then + export DEBIAN_FRONTEND="noninteractive" + apt-get update + apt-get install -y --no-install-recommends \ + "${REPO_PACKAGES[@]}" + elif [[ -f /sbin/apk ]]; then + apk add --no-cache \ + "${REPO_PACKAGES[@]}" + fi fi fi if [[ -f "/mod-pip-packages-to-install.list" ]]; then - echo "**** Installing all pip packages ****" - python3 -m pip install -U pip wheel setuptools - if [[ -f /usr/bin/apt ]]; then - PIP_ARGS="-f https://wheel-index.linuxserver.io/ubuntu/" - elif [[ -f /sbin/apk ]]; then - ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||') - if [[ "${ALPINE_VER}" = "3.14" ]]; then - PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine/" - else - PIP_ARGS="-f https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/" + IFS=' ' read -ra PIP_PACKAGES <<< "$(cat /mod-pip-packages-to-install.list)" + if [[ ${#PIP_PACKAGES[@]} -ne 0 ]] && [[ ${PIP_PACKAGES[*]} != "" ]]; then + echo "**** Installing all pip packages ****" + python3 -m pip install -U pip wheel setuptools + PIP_ARGS=() + if [[ -f /usr/bin/apt ]]; then + PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/ubuntu/") + elif [[ -f /sbin/apk ]]; then + ALPINE_VER=$(grep main /etc/apk/repositories | sed 's|.*alpine/v||' | sed 's|/main.*||') + if [[ "${ALPINE_VER}" = "3.14" ]]; then + PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/alpine/") + else + PIP_ARGS+=("-f" "https://wheel-index.linuxserver.io/alpine-${ALPINE_VER}/") + fi fi + python3 -m pip install \ + "${PIP_ARGS[@]}" \ + "${PIP_PACKAGES[@]}" fi - python3 -m pip install ${PIP_ARGS} \ - $(cat /mod-pip-packages-to-install.list) fi rm -rf \ From c773341cea7619ae6b696bc63dffd948f23591e3 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 6 Sep 2022 15:45:01 +0100 Subject: [PATCH 48/60] Standardise output --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 8bfe1f0..254b3dc 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -4,7 +4,7 @@ if [[ -f "/mod-repo-packages-to-install.list" ]]; then IFS=' ' read -ra REPO_PACKAGES <<< "$(cat /mod-repo-packages-to-install.list)" if [[ ${#REPO_PACKAGES[@]} -ne 0 ]] && [[ ${REPO_PACKAGES[*]} != "" ]]; then - echo "**** Installing all mod packages ****" + echo "[mod-init] **** Installing all mod packages ****" if [[ -f /usr/bin/apt ]]; then export DEBIAN_FRONTEND="noninteractive" apt-get update @@ -20,7 +20,7 @@ fi if [[ -f "/mod-pip-packages-to-install.list" ]]; then IFS=' ' read -ra PIP_PACKAGES <<< "$(cat /mod-pip-packages-to-install.list)" if [[ ${#PIP_PACKAGES[@]} -ne 0 ]] && [[ ${PIP_PACKAGES[*]} != "" ]]; then - echo "**** Installing all pip packages ****" + echo "[mod-init] **** Installing all pip packages ****" python3 -m pip install -U pip wheel setuptools PIP_ARGS=() if [[ -f /usr/bin/apt ]]; then From 256cbbff64da35fc12527aef81f2b4e0fdd62f93 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 6 Sep 2022 15:48:18 +0100 Subject: [PATCH 49/60] Fix missing output prefix --- root/docker-mods | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index 97949a6..ae649de 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -31,7 +31,7 @@ tamper_check() { tamper_check_legacy() { # Tamper check custom script locations if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then - echo "**** Potential tampering with custom scripts detected ****" + echo "[custom-init] **** Potential tampering with custom scripts detected ****" randstr=$( tr Date: Fri, 9 Sep 2022 16:24:06 +0100 Subject: [PATCH 50/60] Remove *old* scripts dir, not new --- root/etc/s6-overlay/s6-rc.d/init-custom-files/run | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run index de28df5..86ca303 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -32,9 +32,9 @@ if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" done # Remove legacy folder if it's empty - if [[ -e "${SCRIPTS_DIR}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then - echo "[custom-init] Legacy service folder ${SCRIPTS_DIR} is empty, deleting..." - rm -rf "${SCRIPTS_DIR}" + if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then + echo "[custom-init] Legacy files folder ${SCRIPTS_DIR_OLD} is empty, deleting..." + rm -rf "${SCRIPTS_DIR_OLD}" fi elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then echo "[custom-init] Files found, executing" From 2ee8af10f961da1d890b244e2d6d088c57976f77 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 9 Sep 2022 16:31:49 +0100 Subject: [PATCH 51/60] Move var declaration to top of script for clarity --- root/docker-mods | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index ae649de..4ab4cd5 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -1,6 +1,12 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash +# Define custom folder paths +SCRIPTS_DIR_OLD="/config/custom-cont-init.d" +SCRIPTS_DIR="/custom-cont-init.d" +SERVICES_DIR_OLD="/config/custom-services.d" +SERVICES_DIR="/custom-services.d" + # Set executable bit on cont-init and services built into the image set_legacy_executable_bits() { mkdir -p /etc/{cont-init.d,services.d} @@ -264,11 +270,6 @@ run_mods() { # Main script loop -SCRIPTS_DIR_OLD="/config/custom-cont-init.d" -SCRIPTS_DIR="/custom-cont-init.d" -SERVICES_DIR_OLD="/config/custom-services.d" -SERVICES_DIR="/custom-services.d" - if [ ! -d "/custom-cont-init.d" ] && [ ! -d "/custom-services.d" ]; then # Tamper check legacy custom folders tamper_check_legacy From 4e412a5fdc714d16102c4f9260410fb6998b007c Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 9 Sep 2022 19:47:02 +0100 Subject: [PATCH 52/60] Use DIR vars for folder check --- root/docker-mods | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/docker-mods b/root/docker-mods index 4ab4cd5..5cb356a 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -270,7 +270,7 @@ run_mods() { # Main script loop -if [ ! -d "/custom-cont-init.d" ] && [ ! -d "/custom-services.d" ]; then +if [ ! -d "${SCRIPTS_DIR}" ] && [ ! -d "${SERVICES_DIR}" ]; then # Tamper check legacy custom folders tamper_check_legacy process_custom_services_legacy From 0f6c8bd028a57c434ce19a30172d6f2ecfe4b3e8 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 10 Sep 2022 16:28:06 +0100 Subject: [PATCH 53/60] Remove duplicate shellcheck directive --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 1 - 1 file changed, 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index ff5a4f6..254b3dc 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -1,6 +1,5 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -# shellcheck shell=bash if [[ -f "/mod-repo-packages-to-install.list" ]]; then IFS=' ' read -ra REPO_PACKAGES <<< "$(cat /mod-repo-packages-to-install.list)" From 3e928ed92fccf4eb6fb02afbfbdfb9de8ac70058 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sat, 10 Sep 2022 16:33:05 +0100 Subject: [PATCH 54/60] Fix package reads --- root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run index 254b3dc..90b4b2e 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/run @@ -2,7 +2,7 @@ # shellcheck shell=bash if [[ -f "/mod-repo-packages-to-install.list" ]]; then - IFS=' ' read -ra REPO_PACKAGES <<< "$(cat /mod-repo-packages-to-install.list)" + IFS=' ' read -ra REPO_PACKAGES <<< "$(tr '\n' ' ' < /mod-repo-packages-to-install.list)" if [[ ${#REPO_PACKAGES[@]} -ne 0 ]] && [[ ${REPO_PACKAGES[*]} != "" ]]; then echo "[mod-init] **** Installing all mod packages ****" if [[ -f /usr/bin/apt ]]; then @@ -18,7 +18,7 @@ if [[ -f "/mod-repo-packages-to-install.list" ]]; then fi if [[ -f "/mod-pip-packages-to-install.list" ]]; then - IFS=' ' read -ra PIP_PACKAGES <<< "$(cat /mod-pip-packages-to-install.list)" + IFS=' ' read -ra PIP_PACKAGES <<< "$(tr '\n' ' ' < /mod-pip-packages-to-install.list)" if [[ ${#PIP_PACKAGES[@]} -ne 0 ]] && [[ ${PIP_PACKAGES[*]} != "" ]]; then echo "[mod-init] **** Installing all pip packages ****" python3 -m pip install -U pip wheel setuptools From 0cd410af3d6c38831cc2c83b358bc1b8e20df639 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Sun, 11 Sep 2022 16:13:19 +0100 Subject: [PATCH 55/60] Don't write custom svc warning txt file --- root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run index e20e12f..20c2c43 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -3,7 +3,7 @@ if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] || [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then - cat << EOF | tee {/config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt} 2>/dev/null + cat << EOF | tee /config/custom-cont-init.d/README.txt 2>/dev/null ******************************************************** ******************************************************** * * From 914b1f16a48f75473a5788fe45975840ba20ec06 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 13 Sep 2022 11:00:35 +0100 Subject: [PATCH 56/60] Remove custom svc from user bundle --- root/docker-mods | 1 + 1 file changed, 1 insertion(+) diff --git a/root/docker-mods b/root/docker-mods index 5cb356a..1e4a329 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -110,6 +110,7 @@ process_custom_services_legacy() { if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then echo "[custom-init] removing existing custom services..." rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-* fi # Make sure custom service directory exists and has files in it From 81ae7dfe9b686752e6d92f2fc5984875ed98850b Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 13 Sep 2022 11:12:42 +0100 Subject: [PATCH 57/60] Fix errors if custom dir is mounted but empty --- root/docker-mods | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 1e4a329..be850d2 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -17,18 +17,18 @@ set_legacy_executable_bits() { tamper_check() { #Tamper check custom service locations - if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then + if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root 2>/dev/null)" ]]; then echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then + elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w 2>/dev/null)" ]]; then echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi #Tamper check custom script locations - if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then + if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root 2>/dev/null)" ]]; then echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then + elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w 2>/dev/null)" ]]; then echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi @@ -36,7 +36,7 @@ tamper_check() { tamper_check_legacy() { # Tamper check custom script locations - if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then + if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root 2>/dev/null)" ]]; then echo "[custom-init] **** Potential tampering with custom scripts detected ****" randstr=$( tr /dev/null)" ]]; then echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi # Tamper check custom service locations - if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then + if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root 2>/dev/null)" ]]; then echo "[custom-init] **** Potential tampering with custom scripts detected ****" randstr=$( tr /dev/null)" ]]; then echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi From 12948902a1db0a473d0e8cd127cec2163a9090bd Mon Sep 17 00:00:00 2001 From: TheSpad Date: Tue, 13 Sep 2022 11:19:04 +0100 Subject: [PATCH 58/60] Add user bundle removal to legacy block too --- root/docker-mods | 1 + 1 file changed, 1 insertion(+) diff --git a/root/docker-mods b/root/docker-mods index be850d2..d69b801 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -72,6 +72,7 @@ process_custom_services() { if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then echo "[custom-init] removing existing custom services..." rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-* fi # Make sure custom service directory exists and has files in it From 19b9b4baef5aa36348a2a516656a2acd09694ece Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 16 Sep 2022 20:14:15 +0100 Subject: [PATCH 59/60] Regen jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ed2877f..e8e3743 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -673,7 +673,7 @@ pipeline { -e DO_REGION="ams3" \ -e DO_BUCKET="lsio-ci" \ -t ghcr.io/linuxserver/ci:latest \ - python /ci/ci.py''' + python3 test_build.py''' } } } From 4b88885e86baed281f40cae449371bc420b6b662 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Thu, 22 Sep 2022 21:04:17 +0100 Subject: [PATCH 60/60] CI oneshot should depend on legacy-services --- .../99-ci-service-check/dependencies.d/{base => legacy-services} | 0 .../s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/user | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/{base => legacy-services} (100%) delete mode 100644 root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/user diff --git a/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/base b/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/legacy-services similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/base rename to root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/legacy-services diff --git a/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/user b/root/etc/s6-overlay/s6-rc.d/99-ci-service-check/dependencies.d/user deleted file mode 100644 index e69de29..0000000