From 920099556ea2528717f669bf0c915e9676bb582f Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 5 Oct 2022 18:01:03 +0100 Subject: [PATCH] Pull docker-mods from repo, install curl/jq/netcat --- Dockerfile | 6 + Dockerfile.aarch64 | 6 + Dockerfile.armhf | 6 + root/docker-mods | 291 ------------------- root/etc/s6-overlay/s6-rc.d/init-envfile/run | 4 +- root/usr/bin/with-contenv | 4 +- 6 files changed, 22 insertions(+), 295 deletions(-) delete mode 100755 root/docker-mods diff --git a/Dockerfile b/Dockerfile index 7f57da8..39a637f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,9 +44,12 @@ FROM scratch COPY --from=rootfs-stage /root-out/ / ARG BUILD_DATE ARG VERSION +ARG MODS_VERSION="v3" LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheLamer" +ADD "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/docker-mods.${MODS_VERSION}" "/docker-mods" + # set environment variables ARG DEBIAN_FRONTEND="noninteractive" ENV HOME="/root" \ @@ -102,6 +105,8 @@ RUN \ apt-get install -y \ curl \ gnupg \ + jq \ + netcat \ tzdata && \ echo "**** generate locale ****" && \ locale-gen en_US.UTF-8 && \ @@ -112,6 +117,7 @@ RUN \ /app \ /config \ /defaults && \ + chmod +x /docker-mods && \ echo "**** cleanup ****" && \ apt-get autoremove && \ apt-get clean && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 59e0e78..a5c592a 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -44,9 +44,12 @@ FROM scratch COPY --from=rootfs-stage /root-out/ / ARG BUILD_DATE ARG VERSION +ARG MODS_VERSION="v3" LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheLamer" +ADD "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/docker-mods.${MODS_VERSION}" "/docker-mods" + # set environment variables ARG DEBIAN_FRONTEND="noninteractive" ENV HOME="/root" \ @@ -102,6 +105,8 @@ RUN \ apt-get install -y \ curl \ gnupg \ + jq \ + netcat \ tzdata && \ echo "**** generate locale ****" && \ locale-gen en_US.UTF-8 && \ @@ -112,6 +117,7 @@ RUN \ /app \ /config \ /defaults && \ + chmod +x /docker-mods && \ echo "**** add qemu ****" && \ curl -o \ /usr/bin/qemu-aarch64-static -L \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 5b648b4..e87d747 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -44,9 +44,12 @@ FROM scratch COPY --from=rootfs-stage /root-out/ / ARG BUILD_DATE ARG VERSION +ARG MODS_VERSION="v3" LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheLamer" +ADD "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/docker-mods.${MODS_VERSION}" "/docker-mods" + # set environment variables ARG DEBIAN_FRONTEND="noninteractive" ENV HOME="/root" \ @@ -102,6 +105,8 @@ RUN \ apt-get install -y \ curl \ gnupg \ + jq \ + netcat \ tzdata && \ echo "**** generate locale ****" && \ locale-gen en_US.UTF-8 && \ @@ -112,6 +117,7 @@ RUN \ /app \ /config \ /defaults && \ + chmod +x /docker-mods && \ echo "**** add qemu ****" && \ curl -o \ /usr/bin/qemu-arm-static -L \ diff --git a/root/docker-mods b/root/docker-mods deleted file mode 100755 index 98125dd..0000000 --- a/root/docker-mods +++ /dev/null @@ -1,291 +0,0 @@ -#!/usr/bin/with-contenv bash -# shellcheck shell=bash - -SCRIPTS_DIR_OLD="/config/custom-cont-init.d" -SCRIPTS_DIR="/custom-cont-init.d" -SERVICES_DIR_OLD="/config/custom-services.d" -SERVICES_DIR="/custom-services.d" - -# Set executable bit on cont-init and services built into the image -set_legacy_executable_bits() { - mkdir -p /etc/{cont-init.d,services.d} - chmod +x \ - /etc/cont-init.d/* \ - /etc/services.d/*/* 2>/dev/null || true -} - -tamper_check() { - #Tamper check custom service locations - if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root 2>/dev/null)" ]]; then - echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w 2>/dev/null)" ]]; then - echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi - #Tamper check custom script locations - if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root 2>/dev/null)" ]]; then - echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w 2>/dev/null)" ]]; then - echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi -} - -tamper_check_legacy() { - # Tamper check custom script locations - if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root 2>/dev/null)" ]]; then - echo "[custom-init] **** Potential tampering with custom scripts detected ****" - randstr=$( - tr /dev/null)" ]]; then - echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi - - # Tamper check custom service locations - if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root 2>/dev/null)" ]]; then - echo "[custom-init] **** Potential tampering with custom scripts detected ****" - randstr=$( - tr /dev/null)" ]]; then - echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" - echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" - fi -} - -process_custom_services() { - # Remove all existing custom services before continuing to ensure - # we aren't running anything the user may have removed - if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* - rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-* - fi - - # Make sure custom service directory exists and has files in it - if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then - echo "[custom-init] Service files found in ${SERVICES_DIR}" - for SERVICE in "${SERVICES_DIR}"/*; do - NAME="$(basename "${SERVICE}")" - if [[ -f "${SERVICE}" ]]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-"${NAME}" - echo "[custom-init] ${NAME}: copied" - elif [[ ! -f "${SERVICE}" ]]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - else - echo "[custom-init] No custom services found, skipping..." - fi - - # Remove legacy folder if it's empty - if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..." - rm -rf "${SERVICES_DIR_OLD}" - fi -} - -process_custom_services_legacy() { - - # Remove all existing custom services before continuing to ensure - # we aren't running anything the user may have removed - if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* - rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-* - fi - - # Make sure custom service directory exists and has files in it - if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] Service files found in ${SERVICES_DIR_OLD}" - for SERVICE in "${SERVICES_DIR_OLD}"/*; do - NAME="$(basename "${SERVICE}")" - if [[ -f "${SERVICE}" ]]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services - touch /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-"${NAME}" - echo "[custom-init] ${NAME}: copied" - elif [[ ! -f "${SERVICE}" ]]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - else - echo "[custom-init] No custom services found, skipping..." - fi - - # Remove legacy folder if it's empty - if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then - echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..." - rm -rf "${SERVICES_DIR_OLD}" - fi -} - -# Check for curl -curl_check() { - if [[ ! -f /usr/bin/curl ]] || [[ ! -f /usr/bin/jq ]]; then - echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" - if [[ -f /usr/bin/apt ]]; then - ## Ubuntu - export DEBIAN_FRONTEND="noninteractive" - apt-get update - apt-get install --no-install-recommends -y \ - curl \ - jq - elif [[ -f /sbin/apk ]]; then - # Alpine - apk add --no-cache \ - curl \ - jq - fi - fi -} - -# Use different filtering depending on URL -get_blob_sha() { - if [[ $1 == "ghcr" ]]; then - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer $2" \ - "$3" | jq -r '.layers[0].digest' - else - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer $2" \ - "$3" | jq -r '.fsLayers[0].blobSum' - fi -} - -# Main run logic -run_mods() { - echo "[mod-init] Attempting to run Docker Modification Logic" - for DOCKER_MOD in $(echo "${DOCKER_MODS}" | tr '|' '\n'); do - # Support alternative endpoints - if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then - DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" - MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" - MODE="ghcr" - else - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" - MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" - MODE="dockerhub" - fi - # Kill off modification logic if any of the usernames are banned - for BANNED in $(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt); do - if [[ "${BANNED,,}" == "${USERNAME,,}" ]]; then - if [[ -z ${RUN_BANNED_MODS+x} ]]; then - echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" - return - else - echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" - fi - fi - done - echo "[mod-init] Applying ${DOCKER_MOD} files to container" - # Get Dockerhub token for api operations - TOKEN="$( - curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --header 'GET' \ - "${AUTH_URL}" | - jq -r '.token' - )" - # Determine first and only layer of image - SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") - # Check if we have allready applied this layer - if [[ -f "/${FILENAME}" ]] && [[ "${SHALAYER}" == "$(cat /"${FILENAME}")" ]]; then - echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" - else - # Download and extract layer to / - curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer ${TOKEN}" \ - "${BLOB_URL}${SHALAYER}" -o \ - /modtarball.tar.xz - mkdir -p /tmp/mod - tar xzf /modtarball.tar.xz -C /tmp/mod - if [[ -d /tmp/mod/etc/s6-overlay ]]; then - if [[ -d /tmp/mod/etc/cont-init.d ]]; then - rm -rf /tmp/mod/etc/cont-init.d - fi - if [[ -d /tmp/mod/etc/services.d ]]; then - rm -rf /tmp/mod/etc/services.d - fi - fi - shopt -s dotglob - cp -R /tmp/mod/* / - shopt -u dotglob - rm -rf /tmp/mod - rm -rf /modtarball.tar.xz - echo "${SHALAYER}" >"/${FILENAME}" - echo "[mod-init] ${DOCKER_MOD} applied to container" - fi - done -} - -# Main script loop - -if [ ! -d "/custom-cont-init.d" ] && [ ! -d "/custom-services.d" ]; then - # Tamper check legacy custom folders - tamper_check_legacy - process_custom_services_legacy -else - # Tamper check new custom folders - tamper_check - process_custom_services -fi - -# Run mod logic -if [[ -n "${DOCKER_MODS+x}" ]]; then - curl_check - run_mods -fi - -# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods -set_legacy_executable_bits diff --git a/root/etc/s6-overlay/s6-rc.d/init-envfile/run b/root/etc/s6-overlay/s6-rc.d/init-envfile/run index 3040a92..5dbf809 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-envfile/run +++ b/root/etc/s6-overlay/s6-rc.d/init-envfile/run @@ -1,8 +1,8 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if find /var/run/s6/container_environment/*"FILE__"* -maxdepth 1 > /dev/null 2>&1; then - for FILENAME in /var/run/s6/container_environment/*; do +if find /run/s6/container_environment/*"FILE__"* -maxdepth 1 > /dev/null 2>&1; then + for FILENAME in /run/s6/container_environment/*; do if [[ "${FILENAME##*/}" == "FILE__"* ]]; then SECRETFILE=$(cat "${FILENAME}") if [[ -f ${SECRETFILE} ]]; then diff --git a/root/usr/bin/with-contenv b/root/usr/bin/with-contenv index e47468c..e9e1bc8 100755 --- a/root/usr/bin/with-contenv +++ b/root/usr/bin/with-contenv @@ -1,9 +1,9 @@ #!/bin/bash -if [[ -f /var/run/s6/container_environment/UMASK ]] && +if [[ -f /run/s6/container_environment/UMASK ]] && { [[ "$(pwdx $$)" =~ "/run/s6/legacy-services/" ]] || [[ "$(pwdx $$)" =~ "/run/s6/services/" ]] || [[ "$(pwdx $$)" =~ "/servicedirs/svc-" ]]; }; then - umask "$(cat /var/run/s6/container_environment/UMASK)" + umask "$(cat /run/s6/container_environment/UMASK)" fi exec /command/with-contenv "$@"