cotugno/syncthing
2
Fork 0
mirror of https://github.com/syncthing/syncthing.git synced 2024-11-15 09:58:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

docker: Add env var to control capabilities (#8552)

Browse Source 
As it's not simple to run a container under Docker/Kubernetes as
non-root but with additional capabilities, add an internal hack.
This commit is contained in:
Jakob Borg 2022-09-26 13:39:41 +02:00 committed by GitHub
parent 1cd2f5a91f
commit 361f7ae564
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -15,12 +15,12 @@ EXPOSE 8384 22000/tcp 22000/udp 21027/udp
VOLUME ["/var/syncthing"]
RUN apk add --no-cache ca-certificates su-exec tzdata
RUN apk add --no-cache ca-certificates su-exec tzdata libcap
COPY --from=builder /src/syncthing /bin/syncthing
COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh
ENV PUID=1000 PGID=1000 HOME=/var/syncthing
ENV PUID=1000 PGID=1000 HOME=/var/syncthing PCAP=
HEALTHCHECK --interval=1m --timeout=10s \
CMD nc -z 127.0.0.1 8384 || exit 1

8
README-Docker.md
View File

@ -7,9 +7,13 @@ Use the `/var/syncthing` volume to have the synchronized files available on the
host. You can add more folders and map them as you prefer.
Note that Syncthing runs as UID 1000 and GID 1000 by default. These may be
altered with the ``PUID`` and ``PGID`` environment variables. In addition
altered with the `PUID` and `PGID` environment variables. In addition
the name of the Syncthing instance can be optionally defined by using
``--hostname=syncthing`` parameter.
`--hostname=syncthing` parameter.
To grant Syncthing additional capabilities without running as root, use the
`PCAP` environment variable with the same syntax as that for `setcap(8)`.
For example, `PCAP=cap_chown,cap_fowner+ep`.
## Example Usage

11
script/docker-entrypoint.sh
View File

@ -3,6 +3,17 @@
set -eu
if [ "$(id -u)" = '0' ]; then
binary="$1"
if [ "$PCAP" == "" ] ; then
# If Syncthing should have no extra capabilities, make sure to remove them
# from the binary. This will fail with an error if there are no
# capabilities to remove, hence the || true etc.
setcap -r "$binary" 2>/dev/null || true
else
# Set capabilities on the Syncthing binary before launching it.
setcap "$PCAP" "$binary"
fi
chown "${PUID}:${PGID}" "${HOME}" \
&& exec su-exec "${PUID}:${PGID}" \
env HOME="$HOME" "$@"