felixfoertsch/syncthing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 7 Wiki Activity

docker: Add env var to control capabilities (#8552)

Browse Source 
As it's not simple to run a container under Docker/Kubernetes as
non-root but with additional capabilities, add an internal hack.
This commit is contained in:
Jakob Borg
2022-09-26 13:39:41 +02:00
committed by GitHub
parent 1cd2f5a91f
commit 361f7ae564
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+2 -2
View File
@@ -15,12 +15,12 @@ EXPOSE 8384 22000/tcp 22000/udp 21027/udp
VOLUME ["/var/syncthing"]
RUN apk add --no-cache ca-certificates su-exec tzdata
RUN apk add --no-cache ca-certificates su-exec tzdata libcap
COPY --from=builder /src/syncthing /bin/syncthing
COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh
ENV PUID=1000 PGID=1000 HOME=/var/syncthing
ENV PUID=1000 PGID=1000 HOME=/var/syncthing PCAP=
HEALTHCHECK --interval=1m --timeout=10s \
CMD nc -z 127.0.0.1 8384 || exit 1
README-Docker.md
+6 -2
View File
@@ -7,9 +7,13 @@ Use the `/var/syncthing` volume to have the synchronized files available on the
host. You can add more folders and map them as you prefer.
Note that Syncthing runs as UID 1000 and GID 1000 by default. These may be
altered with the ``PUID`` and ``PGID`` environment variables. In addition
altered with the `PUID` and `PGID` environment variables. In addition
the name of the Syncthing instance can be optionally defined by using
``--hostname=syncthing`` parameter.
`--hostname=syncthing` parameter.
To grant Syncthing additional capabilities without running as root, use the
`PCAP` environment variable with the same syntax as that for `setcap(8)`.
For example, `PCAP=cap_chown,cap_fowner+ep`.
## Example Usage
script/docker-entrypoint.sh
+11
View File
@@ -3,6 +3,17 @@
set -eu
if [ "$(id -u)" = '0' ]; then
binary="$1"
if [ "$PCAP" == "" ] ; then
# If Syncthing should have no extra capabilities, make sure to remove them
# from the binary. This will fail with an error if there are no
# capabilities to remove, hence the || true etc.
setcap -r "$binary" 2>/dev/null || true
else
# Set capabilities on the Syncthing binary before launching it.
setcap "$PCAP" "$binary"
fi
chown "${PUID}:${PGID}" "${HOME}" \
&& exec su-exec "${PUID}:${PGID}" \
env HOME="$HOME" "$@"