148 wiersze
4.6 KiB
Plaintext
Executable File
148 wiersze
4.6 KiB
Plaintext
Executable File
#!/usr/bin/with-contenv bash
|
|
|
|
# Set executable bit on cont-init and services built into the image
|
|
set_legacy_executable_bits() {
|
|
mkdir -p /etc/{cont-init.d,services.d}
|
|
chmod +x \
|
|
/etc/cont-init.d/* \
|
|
/etc/services.d/*/* 2> /dev/null || true
|
|
}
|
|
set_legacy_executable_bits
|
|
|
|
# Exit if mods is not set
|
|
if [ -z ${DOCKER_MODS+x} ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# Check for curl
|
|
if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then
|
|
echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
|
|
if [ -f /usr/bin/apt ]; then
|
|
## Ubuntu
|
|
apt-get update
|
|
apt-get install --no-install-recommends -y \
|
|
curl \
|
|
jq
|
|
elif [ -f /sbin/apk ]; then
|
|
# Alpine
|
|
apk add --no-cache \
|
|
curl \
|
|
jq
|
|
fi
|
|
fi
|
|
|
|
## Functions
|
|
|
|
# Use different filtering depending on URL
|
|
get_blob_sha () {
|
|
if [[ $1 == "ghcr" ]]; then
|
|
curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
|
|
--silent \
|
|
--location \
|
|
--request GET \
|
|
--header "Authorization: Bearer $2" \
|
|
$3 | jq -r '.layers[0].digest'
|
|
else
|
|
curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
|
|
--silent \
|
|
--location \
|
|
--request GET \
|
|
--header "Authorization: Bearer $2" \
|
|
$3 | jq -r '.fsLayers[0].blobSum'
|
|
fi
|
|
}
|
|
|
|
# Main run logic
|
|
echo "[mod-init] Attempting to run Docker Modification Logic"
|
|
IFS='|'
|
|
DOCKER_MODS=(${DOCKER_MODS})
|
|
for DOCKER_MOD in "${DOCKER_MODS[@]}"; do
|
|
# Support alternative endpoints
|
|
if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then
|
|
DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}"
|
|
ENDPOINT="${DOCKER_MOD%%:*}"
|
|
USERNAME="${DOCKER_MOD%%/*}"
|
|
REPO="${ENDPOINT#*/}"
|
|
TAG="${DOCKER_MOD#*:}"
|
|
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
|
|
TAG="latest"
|
|
fi
|
|
FILENAME="${USERNAME}.${REPO}.${TAG}"
|
|
AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
|
|
MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
|
|
BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
|
|
MODE="ghcr"
|
|
else
|
|
ENDPOINT="${DOCKER_MOD%%:*}"
|
|
USERNAME="${DOCKER_MOD%%/*}"
|
|
REPO="${ENDPOINT#*/}"
|
|
TAG="${DOCKER_MOD#*:}"
|
|
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
|
|
TAG="latest"
|
|
fi
|
|
FILENAME="${USERNAME}.${REPO}.${TAG}"
|
|
AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
|
|
MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
|
|
BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
|
|
MODE="dockerhub"
|
|
fi
|
|
# Kill off modification logic if any of the usernames are banned
|
|
BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt)
|
|
IFS=$'\n'
|
|
BLACKLIST=(${BLACKLIST})
|
|
for BANNED in "${BLACKLIST[@]}"; do
|
|
if [ "${BANNED}" == "${USERNAME,,}" ]; then
|
|
if [ -z ${RUN_BANNED_MODS+x} ]; then
|
|
echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
|
|
exit 0
|
|
else
|
|
echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
|
|
fi
|
|
fi
|
|
done
|
|
echo "[mod-init] Applying ${DOCKER_MOD} files to container"
|
|
# Get Dockerhub token for api operations
|
|
TOKEN=\
|
|
"$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
|
|
--silent \
|
|
--header 'GET' \
|
|
"${AUTH_URL}" \
|
|
| jq -r '.token' \
|
|
)"
|
|
# Determine first and only layer of image
|
|
SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
|
|
# Check if we have allready applied this layer
|
|
if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then
|
|
echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
|
|
else
|
|
# Download and extract layer to /
|
|
curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
|
|
--silent \
|
|
--location \
|
|
--request GET \
|
|
--header "Authorization: Bearer ${TOKEN}" \
|
|
"${BLOB_URL}${SHALAYER}" -o \
|
|
/modtarball.tar.xz
|
|
mkdir -p /tmp/mod
|
|
tar xzf /modtarball.tar.xz -C /tmp/mod
|
|
if [ -d /tmp/mod/etc/s6-overlay ]; then
|
|
if [ -d /tmp/mod/etc/cont-init.d ]; then
|
|
rm -rf /tmp/mod/etc/cont-init.d
|
|
fi
|
|
if [ -d /tmp/mod/etc/services.d ]; then
|
|
rm -rf /tmp/mod/etc/services.d
|
|
fi
|
|
fi
|
|
shopt -s dotglob
|
|
cp -R /tmp/mod/* /
|
|
shopt -u dotglob
|
|
rm -rf /tmp/mod
|
|
rm -rf /modtarball.tar.xz
|
|
echo ${SHALAYER} > "/${FILENAME}"
|
|
echo "[mod-init] ${DOCKER_MOD} applied to container"
|
|
fi
|
|
done
|
|
|
|
# Set executable bit on cont-init and services that may have been unpacked by mods
|
|
set_legacy_executable_bits
|