diff options
| author | Jakob Borg <jakob@kastelo.net> | 2022-09-26 13:39:41 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-26 13:39:41 +0200 |
| commit | 361f7ae56435806c373d02d179c7a60caf845ddf (patch) | |
| tree | 8c738f70266fb58296716b0f25399b0433623e7e | |
| parent | 1cd2f5a91ff853a5136b1110dd05efcf0065a576 (diff) | |
docker: Add env var to control capabilities (#8552)
As it's not simple to run a container under Docker/Kubernetes as
non-root but with additional capabilities, add an internal hack.
| -rw-r--r-- | Dockerfile | 4 | ||||
| -rw-r--r-- | README-Docker.md | 8 | ||||
| -rwxr-xr-x | script/docker-entrypoint.sh | 11 |
3 files changed, 19 insertions, 4 deletions
diff --git a/Dockerfile b/Dockerfile index e7d9ebbbbd..7c4913be67 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,12 +15,12 @@ EXPOSE 8384 22000/tcp 22000/udp 21027/udp VOLUME ["/var/syncthing"] -RUN apk add --no-cache ca-certificates su-exec tzdata +RUN apk add --no-cache ca-certificates su-exec tzdata libcap COPY --from=builder /src/syncthing /bin/syncthing COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh -ENV PUID=1000 PGID=1000 HOME=/var/syncthing +ENV PUID=1000 PGID=1000 HOME=/var/syncthing PCAP= HEALTHCHECK --interval=1m --timeout=10s \ CMD nc -z 127.0.0.1 8384 || exit 1 diff --git a/README-Docker.md b/README-Docker.md index b29c9bc015..27acf53aa1 100644 --- a/README-Docker.md +++ b/README-Docker.md @@ -7,9 +7,13 @@ Use the `/var/syncthing` volume to have the synchronized files available on the host. You can add more folders and map them as you prefer. Note that Syncthing runs as UID 1000 and GID 1000 by default. These may be -altered with the ``PUID`` and ``PGID`` environment variables. In addition +altered with the `PUID` and `PGID` environment variables. In addition the name of the Syncthing instance can be optionally defined by using -``--hostname=syncthing`` parameter. +`--hostname=syncthing` parameter. + +To grant Syncthing additional capabilities without running as root, use the +`PCAP` environment variable with the same syntax as that for `setcap(8)`. +For example, `PCAP=cap_chown,cap_fowner+ep`. ## Example Usage diff --git a/script/docker-entrypoint.sh b/script/docker-entrypoint.sh index 071092a09b..f56817d1b5 100755 --- a/script/docker-entrypoint.sh +++ b/script/docker-entrypoint.sh @@ -3,6 +3,17 @@ set -eu if [ "$(id -u)" = '0' ]; then + binary="$1" + if [ "$PCAP" == "" ] ; then + # If Syncthing should have no extra capabilities, make sure to remove them + # from the binary. This will fail with an error if there are no + # capabilities to remove, hence the || true etc. + setcap -r "$binary" 2>/dev/null || true + else + # Set capabilities on the Syncthing binary before launching it. + setcap "$PCAP" "$binary" + fi + chown "${PUID}:${PGID}" "${HOME}" \ && exec su-exec "${PUID}:${PGID}" \ env HOME="$HOME" "$@" |