meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Reorder so custom services aren't dependent on mods

Browse source
This commit is contained in:
TheSpad 2022-06-10 23:38:29 +01:00
parent 3e69697264
commit d7ac0a9a4e
No known key found for this signature in database
GPG key ID: 08F06191F4587860
1 changed files with 179 additions and 166 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

345
root/docker-mods
View file

@ -1,37 +1,108 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
#shellcheck disable=SC2120
# Set executable bit on cont-init and services built into the image # Set executable bit on cont-init and services built into the image
set_legacy_executable_bits() { set_legacy_executable_bits () {
mkdir -p /etc/{cont-init.d,services.d} mkdir -p /etc/{cont-init.d,services.d}
chmod +x \ chmod +x \
/etc/cont-init.d/* \ /etc/cont-init.d/* \
/etc/services.d/*/* 2> /dev/null || true /etc/services.d/*/* 2> /dev/null || true
} }
set_legacy_executable_bits
# Exit if mods is not set # Tamper check legacy custom service locations
if [ -z ${DOCKER_MODS+x} ]; then tamper_check () {
exit 0 if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then
fi echo "**** Potential tampering with custom scripts detected ****"
randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
mv "/config/custom-services.d" "/config/custom-services.d.${randstr}"
echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****"
echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p /config/custom-services.d
chown 0:0 /config/custom-services.d
elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
}
# Process Custom Services
process_custom_services() {
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
fi
if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
echo "[custom-init] no custom files found, exiting..."
return
fi
# Make sure custom init directory exists and has files in it
if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR}"
for SERVICE in ${SERVICES_DIR}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi
if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
for SERVICE in ${SERVICES_DIR_OLD}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi
}
# Check for curl # Check for curl
if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then curl_check () {
echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then
if [ -f /usr/bin/apt ]; then echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
## Ubuntu if [ -f /usr/bin/apt ]; then
apt-get update ## Ubuntu
apt-get install --no-install-recommends -y \ apt-get update
curl \ apt-get install --no-install-recommends -y \
jq curl \
elif [ -f /sbin/apk ]; then jq
# Alpine elif [ -f /sbin/apk ]; then
apk add --no-cache \ # Alpine
curl \ apk add --no-cache \
jq curl \
jq
fi
fi fi
fi }
## Functions
# Use different filtering depending on URL # Use different filtering depending on URL
get_blob_sha () { get_blob_sha () {
@ -53,152 +124,94 @@ get_blob_sha () {
} }
# Main run logic # Main run logic
echo "[mod-init] Attempting to run Docker Modification Logic" run_mods () {
IFS='|' echo "[mod-init] Attempting to run Docker Modification Logic"
DOCKER_MODS=(${DOCKER_MODS}) IFS='|'
for DOCKER_MOD in "${DOCKER_MODS[@]}"; do DOCKER_MODS=(${DOCKER_MODS})
# Support alternative endpoints for DOCKER_MOD in "${DOCKER_MODS[@]}"; do
if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then # Support alternative endpoints
DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then
ENDPOINT="${DOCKER_MOD%%:*}" DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}"
USERNAME="${DOCKER_MOD%%/*}" ENDPOINT="${DOCKER_MOD%%:*}"
REPO="${ENDPOINT#*/}" USERNAME="${DOCKER_MOD%%/*}"
TAG="${DOCKER_MOD#*:}" REPO="${ENDPOINT#*/}"
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then TAG="${DOCKER_MOD#*:}"
TAG="latest" if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
fi TAG="latest"
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
MODE="ghcr"
else
ENDPOINT="${DOCKER_MOD%%:*}"
USERNAME="${DOCKER_MOD%%/*}"
REPO="${ENDPOINT#*/}"
TAG="${DOCKER_MOD#*:}"
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
TAG="latest"
fi
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
MODE="dockerhub"
fi
# Kill off modification logic if any of the usernames are banned
BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt)
IFS=$'\n'
BLACKLIST=(${BLACKLIST})
for BANNED in "${BLACKLIST[@]}"; do
if [ "${BANNED}" == "${USERNAME,,}" ]; then
if [ -z ${RUN_BANNED_MODS+x} ]; then
echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
exit 0
else
echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
fi fi
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
MODE="ghcr"
else
ENDPOINT="${DOCKER_MOD%%:*}"
USERNAME="${DOCKER_MOD%%/*}"
REPO="${ENDPOINT#*/}"
TAG="${DOCKER_MOD#*:}"
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
TAG="latest"
fi
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
MODE="dockerhub"
fi
# Kill off modification logic if any of the usernames are banned
BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt)
IFS=$'\n'
BLACKLIST=(${BLACKLIST})
for BANNED in "${BLACKLIST[@]}"; do
if [ "${BANNED}" == "${USERNAME,,}" ]; then
if [ -z ${RUN_BANNED_MODS+x} ]; then
echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
return
else
echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
fi
fi
done
echo "[mod-init] Applying ${DOCKER_MOD} files to container"
# Get Dockerhub token for api operations
TOKEN="$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
--silent \
--header 'GET' \
"${AUTH_URL}" \
| jq -r '.token' \
)"
# Determine first and only layer of image
SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
# Check if we have allready applied this layer
if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then
echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
else
# Download and extract layer to /
curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"${BLOB_URL}${SHALAYER}" -o \
/modtarball.tar.xz
tar xzf /modtarball.tar.xz -C /
rm -rf /modtarball.tar.xz
echo ${SHALAYER} > "/${FILENAME}"
fi fi
done done
echo "[mod-init] Applying ${DOCKER_MOD} files to container" }
# Get Dockerhub token for api operations
TOKEN=\
"$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
--silent \
--header 'GET' \
"${AUTH_URL}" \
| jq -r '.token' \
)"
# Determine first and only layer of image
SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
# Check if we have allready applied this layer
if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then
echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
else
# Download and extract layer to /
curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"${BLOB_URL}${SHALAYER}" -o \
/modtarball.tar.xz
tar xzf /modtarball.tar.xz -C /
rm -rf /modtarball.tar.xz
echo ${SHALAYER} > "/${FILENAME}"
fi
done
# Set executable bit on cont-init and services that may have been unpacked by mods # Tamper check legacy services
tamper_check
# Process any custom services
process_custom_services
# Run mod logic
if [ -n "${DOCKER_MODS+x}" ]; then
curl_check
run_mods
fi
# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods
set_legacy_executable_bits set_legacy_executable_bits
# Process Custom Services
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
fi
# Tamper check services
if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
mv "/config/custom-services.d" "/config/custom-services.d.${randstr}"
echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****"
echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p /config/custom-services.d
chown 0:0 /config/custom-services.d
elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
echo "[custom-init] no custom files found, exiting..."
exit 0
fi
# Make sure custom init directory exists and has files in it
if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR}"
for SERVICE in ${SERVICES_DIR}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi
if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
for SERVICE in ${SERVICES_DIR_OLD}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/
cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi