docker: Add env var to control capabilities (#8552)

As it's not simple to run a container under Docker/Kubernetes as
non-root but with additional capabilities, add an internal hack.
This commit is contained in:
Jakob Borg 2022-09-26 13:39:41 +02:00 committed by GitHub
parent 1cd2f5a91f
commit 361f7ae564
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 4 deletions

View File

@ -15,12 +15,12 @@ EXPOSE 8384 22000/tcp 22000/udp 21027/udp
VOLUME ["/var/syncthing"] VOLUME ["/var/syncthing"]
RUN apk add --no-cache ca-certificates su-exec tzdata RUN apk add --no-cache ca-certificates su-exec tzdata libcap
COPY --from=builder /src/syncthing /bin/syncthing COPY --from=builder /src/syncthing /bin/syncthing
COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh
ENV PUID=1000 PGID=1000 HOME=/var/syncthing ENV PUID=1000 PGID=1000 HOME=/var/syncthing PCAP=
HEALTHCHECK --interval=1m --timeout=10s \ HEALTHCHECK --interval=1m --timeout=10s \
CMD nc -z 127.0.0.1 8384 || exit 1 CMD nc -z 127.0.0.1 8384 || exit 1

View File

@ -7,9 +7,13 @@ Use the `/var/syncthing` volume to have the synchronized files available on the
host. You can add more folders and map them as you prefer. host. You can add more folders and map them as you prefer.
Note that Syncthing runs as UID 1000 and GID 1000 by default. These may be Note that Syncthing runs as UID 1000 and GID 1000 by default. These may be
altered with the ``PUID`` and ``PGID`` environment variables. In addition altered with the `PUID` and `PGID` environment variables. In addition
the name of the Syncthing instance can be optionally defined by using the name of the Syncthing instance can be optionally defined by using
``--hostname=syncthing`` parameter. `--hostname=syncthing` parameter.
To grant Syncthing additional capabilities without running as root, use the
`PCAP` environment variable with the same syntax as that for `setcap(8)`.
For example, `PCAP=cap_chown,cap_fowner+ep`.
## Example Usage ## Example Usage

View File

@ -3,6 +3,17 @@
set -eu set -eu
if [ "$(id -u)" = '0' ]; then if [ "$(id -u)" = '0' ]; then
binary="$1"
if [ "$PCAP" == "" ] ; then
# If Syncthing should have no extra capabilities, make sure to remove them
# from the binary. This will fail with an error if there are no
# capabilities to remove, hence the || true etc.
setcap -r "$binary" 2>/dev/null || true
else
# Set capabilities on the Syncthing binary before launching it.
setcap "$PCAP" "$binary"
fi
chown "${PUID}:${PGID}" "${HOME}" \ chown "${PUID}:${PGID}" "${HOME}" \
&& exec su-exec "${PUID}:${PGID}" \ && exec su-exec "${PUID}:${PGID}" \
env HOME="$HOME" "$@" env HOME="$HOME" "$@"