#!/usr/bin/with-contenv bash #shellcheck disable=SC2120 # Set executable bit on cont-init and services built into the image set_legacy_executable_bits () { mkdir -p /etc/{cont-init.d,services.d} chmod +x \ /etc/cont-init.d/* \ /etc/services.d/*/* 2> /dev/null || true } # Tamper check legacy custom service locations tamper_check () { if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then echo "**** Potential tampering with custom scripts detected ****" randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" mkdir -p /config/custom-services.d chown 0:0 /config/custom-services.d elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" fi } # Process Custom Services process_custom_services() { SERVICES_DIR_OLD="/config/custom-services.d" SERVICES_DIR="/custom-services.d" # Remove all existing custom services before continuing to ensure # we aren't running anything the user may have removed if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then echo "[custom-init] removing existing custom services..." rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* fi if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then echo "[custom-init] no custom files found, exiting..." return fi # Make sure custom init directory exists and has files in it if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then echo "[custom-init] service files found in ${SERVICES_DIR}" for SERVICE in ${SERVICES_DIR}/*; do NAME="$(basename "${SERVICE}")" if [ -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: service detected, copying..." mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: is not a file" fi done fi fi if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" for SERVICE in ${SERVICES_DIR_OLD}/*; do NAME="$(basename "${SERVICE}")" if [ -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: service detected, copying..." mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up echo "[custom-init] ${NAME}: copied" elif [ ! -f "${SERVICE}" ]; then echo "[custom-init] ${NAME}: is not a file" fi done fi fi } # Check for curl curl_check () { if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" if [ -f /usr/bin/apt ]; then ## Ubuntu apt-get update apt-get install --no-install-recommends -y \ curl \ jq elif [ -f /sbin/apk ]; then # Alpine apk add --no-cache \ curl \ jq fi fi } # Use different filtering depending on URL get_blob_sha () { if [[ $1 == "ghcr" ]]; then curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ --silent \ --location \ --request GET \ --header "Authorization: Bearer $2" \ $3 | jq -r '.layers[0].digest' else curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ --silent \ --location \ --request GET \ --header "Authorization: Bearer $2" \ $3 | jq -r '.fsLayers[0].blobSum' fi } # Main run logic run_mods () { echo "[mod-init] Attempting to run Docker Modification Logic" IFS='|' DOCKER_MODS=(${DOCKER_MODS}) for DOCKER_MOD in "${DOCKER_MODS[@]}"; do # Support alternative endpoints if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" ENDPOINT="${DOCKER_MOD%%:*}" USERNAME="${DOCKER_MOD%%/*}" REPO="${ENDPOINT#*/}" TAG="${DOCKER_MOD#*:}" if [[ ${TAG} == "${DOCKER_MOD}" ]]; then TAG="latest" fi FILENAME="${USERNAME}.${REPO}.${TAG}" AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" MODE="ghcr" else ENDPOINT="${DOCKER_MOD%%:*}" USERNAME="${DOCKER_MOD%%/*}" REPO="${ENDPOINT#*/}" TAG="${DOCKER_MOD#*:}" if [[ ${TAG} == "${DOCKER_MOD}" ]]; then TAG="latest" fi FILENAME="${USERNAME}.${REPO}.${TAG}" AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" MODE="dockerhub" fi # Kill off modification logic if any of the usernames are banned BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) IFS=$'\n' BLACKLIST=(${BLACKLIST}) for BANNED in "${BLACKLIST[@]}"; do if [ "${BANNED}" == "${USERNAME,,}" ]; then if [ -z ${RUN_BANNED_MODS+x} ]; then echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" return else echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" fi fi done echo "[mod-init] Applying ${DOCKER_MOD} files to container" # Get Dockerhub token for api operations TOKEN="$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ --silent \ --header 'GET' \ "${AUTH_URL}" \ | jq -r '.token' \ )" # Determine first and only layer of image SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") # Check if we have allready applied this layer if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" else # Download and extract layer to / curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ --silent \ --location \ --request GET \ --header "Authorization: Bearer ${TOKEN}" \ "${BLOB_URL}${SHALAYER}" -o \ /modtarball.tar.xz tar xzf /modtarball.tar.xz -C / rm -rf /modtarball.tar.xz echo ${SHALAYER} > "/${FILENAME}" fi done } # Tamper check legacy services tamper_check # Process any custom services process_custom_services # Run mod logic if [ -n "${DOCKER_MODS+x}" ]; then curl_check run_mods fi # Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods set_legacy_executable_bits