From f18a67a28b3c813c653b71ac09a46672beb28e7a Mon Sep 17 00:00:00 2001
From: thespad <spad@linuxserver.io>
Date: Tue, 24 Dec 2024 16:53:12 +0000
Subject: [PATCH] Rebase to 3.21

---
 Dockerfile                                        |  2 +-
 Dockerfile.aarch64                                |  2 +-
 README.md                                         |  6 ++++++
 readme-vars.yml                                   |  2 ++
 root/etc/s6-overlay/s6-rc.d/init-fleet-config/run |  7 ++++---
 root/etc/s6-overlay/s6-rc.d/svc-fleet/run         | 12 +++++++++---
 6 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 950f677..7af9f79 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 6c351ca..f347fc9 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/README.md b/README.md
index 2f16a3c..b1dae98 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,10 @@ Once complete, you can log into the app via `http://your_ip_here:8080/login` to
 
 This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
 
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -133,6 +137,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e fleet_admin_secret=randomstring` | A string used as part of the password key derivation process. |
 | `-v /config` | The primary config file and rolling log files. |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -296,6 +301,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **24.12.24:** - Rebase to Alpine 3.21.
 * **04.06.24:** - Rebase to Alpine 3.20.
 * **20.03.24:** - Rebase to Alpine 3.19.
 * **12.07.23:** - Rebase to Alpine 3.18.
diff --git a/readme-vars.yml b/readme-vars.yml
index c497520..6315dd6 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -29,6 +29,7 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - {env_var: "fleet_admin_secret", env_value: "randomstring", desc: "A string used as part of the password key derivation process."}
 readonly_supported: true
+nonroot_supported: true
 app_setup_block_enabled: true
 app_setup_block: |
   Navigate to `http://your_ip_here:8080` to display the home page. If `DATABASE` is selected as the preferred authentication process, ensure that you set up an
@@ -79,6 +80,7 @@ init_diagram: |
   "fleet:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "24.12.24:", desc: "Rebase to Alpine 3.21."}
   - {date: "04.06.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "20.03.24:", desc: "Rebase to Alpine 3.19."}
   - {date: "12.07.23:", desc: "Rebase to Alpine 3.18."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-fleet-config/run b/root/etc/s6-overlay/s6-rc.d/init-fleet-config/run
index ae4017a..e0c7233 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-fleet-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-fleet-config/run
@@ -1,6 +1,7 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-# permissions
-lsiown -R abc:abc \
-    /config
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    lsiown -R abc:abc \
+        /config
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-fleet/run b/root/etc/s6-overlay/s6-rc.d/svc-fleet/run
index 2f8ad6d..2f8dccb 100755
--- a/root/etc/s6-overlay/s6-rc.d/svc-fleet/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-fleet/run
@@ -1,6 +1,12 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8080" \
-        s6-setuidgid abc /usr/bin/java -Dfleet.config.base=/config -Dlog4j2.formatMsgNoLookups=true -jar /app/fleet/fleet.jar
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8080" \
+            s6-setuidgid abc /usr/bin/java -Dfleet.config.base=/config -Dlog4j2.formatMsgNoLookups=true -jar /app/fleet/fleet.jar
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8080" \
+            /usr/bin/java -Dfleet.config.base=/config -Dlog4j2.formatMsgNoLookups=true -jar /app/fleet/fleet.jar
+fi