diff --git a/root/etc/cont-init.d/02-tamper-check b/root/etc/cont-init.d/02-tamper-check deleted file mode 100755 index 6699a27..0000000 --- a/root/etc/cont-init.d/02-tamper-check +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/with-contenv bash - -if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts/services detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do - if [ -d "${folder}" ]; then - mv "${folder}" "${folder}.${randstr}" - echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****" - fi - done - echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-cont-init.d /config/custom-services.d - chown 0:0 /config/custom-cont-init.d /config/custom-services.d -elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****" -fi diff --git a/root/etc/cont-init.d/90-custom-folders b/root/etc/cont-init.d/90-custom-folders deleted file mode 100755 index 14b7914..0000000 --- a/root/etc/cont-init.d/90-custom-folders +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv bash - -# create custom folders and secure permissions -mkdir -p /config/{custom-cont-init.d,custom-services.d} -chown -R 0:0 /config/{custom-cont-init.d,custom-services.d} diff --git a/root/etc/cont-init.d/99-custom-files b/root/etc/cont-init.d/99-custom-files deleted file mode 100755 index 2195641..0000000 --- a/root/etc/cont-init.d/99-custom-files +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Directories -SCRIPTS_DIR="/config/custom-cont-init.d" -SERVICES_DIR="/config/custom-services.d" - -# Remove all existing custom services before continuing to ensure -# we aren't running anything the user may have removed -if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/services.d/custom-service-* -fi - -# Make sure custom init directory exists and has files in it -if ([ -e "${SCRIPTS_DIR}" ] && \ - [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]) || \ - ([ -e "${SERVICES_DIR}" ] && \ - [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]); then - if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then - echo "[custom-init] files found in ${SCRIPTS_DIR} executing" - for SCRIPT in ${SCRIPTS_DIR}/*; do - NAME="$(basename "${SCRIPT}")" - if [ -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: executing..." - /bin/bash ${SCRIPT} - echo "[custom-init] ${NAME}: exited $?" - elif [ ! -f "${SCRIPT}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/services.d/custom-service-${NAME}/ - cp ${SERVICE} /etc/services.d/custom-service-${NAME}/run - chmod +x /etc/services.d/custom-service-${NAME}/run - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -else - echo "[custom-init] no custom files found exiting..." -fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/10-adduser b/root/etc/s6-overlay/s6-rc.d/init-adduser/run similarity index 100% rename from root/etc/cont-init.d/10-adduser rename to root/etc/s6-overlay/s6-rc.d/init-adduser/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/type b/root/etc/s6-overlay/s6-rc.d/init-adduser/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/up b/root/etc/s6-overlay/s6-rc.d/init-adduser/up new file mode 100644 index 0000000..b8522da --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-adduser/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/type b/root/etc/s6-overlay/s6-rc.d/init-base/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-base/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-base/up b/root/etc/s6-overlay/s6-rc.d/init-base/up new file mode 100644 index 0000000..0738317 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-base/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the base image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream b/root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run new file mode 100755 index 0000000..9cded7f --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run @@ -0,0 +1,87 @@ +#!/usr/bin/with-contenv bash + +# Directories +SCRIPTS_DIR_OLD="/config/custom-cont-init.d" +SERVICES_DIR_OLD="/config/custom-services.d" +SCRIPTS_DIR="/custom-cont-init.d" +SERVICES_DIR="/custom-services.d" + +# Remove all existing custom services before continuing to ensure +# we aren't running anything the user may have removed +if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/services.d/custom-service-* +fi + +if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + echo "[custom-init] no custom files found, exiting..." + exit 0 +fi + +# Make sure custom init directory exists and has files in it +if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } || \ + { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then + echo "[custom-init] files found, executing" + for SCRIPT in ${SCRIPTS_DIR}/*; do + NAME="$(basename "${SCRIPT}")" + if [ -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [ ! -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR}" + for SERVICE in ${SERVICES_DIR}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/services.d/custom-service-"${NAME}"/ + cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run + chmod +x /etc/services.d/custom-service-"${NAME}"/run + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi + +if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } || \ + { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] files found, executing" + for SCRIPT in ${SCRIPTS_DIR_OLD}/*; do + NAME="$(basename "${SCRIPT}")" + if [ -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [ ! -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + for SERVICE in ${SERVICES_DIR_OLD}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/services.d/custom-service-"${NAME}"/ + cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run + chmod +x /etc/services.d/custom-service-"${NAME}"/run + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi +fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/type b/root/etc/s6-overlay/s6-rc.d/init-custom-files/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/up b/root/etc/s6-overlay/s6-rc.d/init-custom-files/up new file mode 100644 index 0000000..28bf318 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-custom-files/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base b/root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/type b/root/etc/s6-overlay/s6-rc.d/init-downstream/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-downstream/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-downstream/up b/root/etc/s6-overlay/s6-rc.d/init-downstream/up new file mode 100644 index 0000000..c329423 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-downstream/up @@ -0,0 +1 @@ +# This file doesn't do anything, it's just the end of the downstream image init process diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/01-envfile b/root/etc/s6-overlay/s6-rc.d/init-envfile/run similarity index 100% rename from root/etc/cont-init.d/01-envfile rename to root/etc/s6-overlay/s6-rc.d/init-envfile/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/type b/root/etc/s6-overlay/s6-rc.d/init-envfile/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/up b/root/etc/s6-overlay/s6-rc.d/init-envfile/up new file mode 100644 index 0000000..b2b4fb8 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-envfile/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/cont-init.d/01-migrations b/root/etc/s6-overlay/s6-rc.d/init-migrations/run similarity index 98% rename from root/etc/cont-init.d/01-migrations rename to root/etc/s6-overlay/s6-rc.d/init-migrations/run index 4ab4464..5eef083 100755 --- a/root/etc/cont-init.d/01-migrations +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/run @@ -7,7 +7,7 @@ echo "[migrations] started" if [ ! -d $MIGRATIONS_DIR ]; then echo "[migrations] no migrations found" - exit + exit 0 fi for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/type b/root/etc/s6-overlay/s6-rc.d/init-migrations/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-migrations/up b/root/etc/s6-overlay/s6-rc.d/init-migrations/up new file mode 100644 index 0000000..7c4cbcf --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-migrations/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-migrations/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy b/root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run new file mode 100755 index 0000000..05355ad --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +if { [ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]; } && \ + { [ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]; }; then +cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null + ******************************************************** + ******************************************************** + * * + * !!!! * + * Custom scripts or services found in legacy locations * + * !!!! * + * Please move your custom scripts and services * + * to /custom-cont-init.d and /custom-services.d * + * respectively to ensure they continue working. * + * * + ******************************************************** + ******************************************************** +EOF +fi \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/type b/root/etc/s6-overlay/s6-rc.d/init-script-check/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/up b/root/etc/s6-overlay/s6-rc.d/init-script-check/up new file mode 100644 index 0000000..a7c155a --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-script-check/run diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check new file mode 100644 index 0000000..e69de29