LAB-linuxserver/docker-mods
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-mods.git synced 2026-02-05 04:59:42 +08:00
Code Issues Packages Projects Releases Wiki Activity
docker-mods/docker-mods.v3

272 lines
11 KiB
Plaintext
Executable File
Raw Blame History

#!/command/with-contenv bash
# shellcheck shell=bash
# Version 3
# 2022-09-25
MOD_SCRIPT_VER="3"
# Use /command/with-contenv shebang because /usr/bin/with-contenv is created in this script
# Define custom folder paths
SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR="/custom-services.d"
# Set executable bit on cont-init and services built into the image
set_legacy_executable_bits() {
mkdir -p /etc/{cont-init.d,services.d}
chmod +x \
/etc/cont-init.d/* \
/etc/services.d/*/* 2>/dev/null || true
}
tamper_check() {
# Tamper check custom service locations
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
# Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
}
process_custom_services() {
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-*
fi
# Make sure custom service directory exists and has files in it
if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then
echo "[custom-init] Service files found in ${SERVICES_DIR}"
for SERVICE in "${SERVICES_DIR}"/*; do
NAME="$(basename "${SERVICE}")"
if [[ -f "${SERVICE}" ]]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/
cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run
echo "longrun" >/etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type
touch /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/dependencies.d/init-services
touch /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-"${NAME}"
echo "[custom-init] ${NAME}: copied"
elif [[ ! -f "${SERVICE}" ]]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
else
echo "[custom-init] No custom services found, skipping..."
fi
}
# Create our noisy chown alias to handle read-only/remote volumes
create_lsiown_alias() {
# intentional tabs in the heredoc
cat <<-EOF >/usr/bin/lsiown
#!/bin/bash
chown "\$@" || printf '**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****\n**** The app may not work properly and we will not provide support for it. ****\n'
EOF
chmod +x /usr/bin/lsiown
}
# Create our with-contenv alias with umask support
create_with_contenv_alias() {
if [[ ! -f /command/with-contenv ]]; then
echo "[mod-init] /command/with-contenv not found, skipping alias creation"
return
fi
rm -rf /usr/bin/with-contenv
# intentional tabs in the heredoc
cat <<-EOF >/usr/bin/with-contenv
#!/bin/bash
if [[ -f /run/s6/container_environment/UMASK ]] &&
{ [[ "\$(pwdx \$\$)" =~ "/run/s6/legacy-services/" ]] ||
[[ "\$(pwdx \$\$)" =~ "/run/s6/services/" ]] ||
[[ "\$(pwdx \$\$)" =~ "/servicedirs/svc-" ]]; }; then
umask "\$(cat /run/s6/container_environment/UMASK)"
fi
exec /command/with-contenv "\$@"
EOF
chmod +x /usr/bin/with-contenv
}
# Check for curl
curl_check() {
if [[ ! -f /usr/bin/curl ]] || [[ ! -f /usr/bin/jq ]]; then
echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing"
if [[ -f /usr/bin/apt ]]; then
# Ubuntu
export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install --no-install-recommends -y \
curl \
jq
elif [[ -f /sbin/apk ]]; then
# Alpine
apk add --no-cache \
curl \
jq
elif [[ -f /usr/bin/dnf ]]; then
# Fedora
dnf install -y --setopt=install_weak_deps=False --best \
curl \
jq
elif [[ -f /usr/sbin/pacman ]]; then
# Arch
pacman -Sy --noconfirm \
curl \
jq
fi
fi
}
# Use different filtering depending on URL
get_blob_sha() {
if [[ $1 == "ghcr" ]]; then
curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
--silent \
--location \
--request GET \
--header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
--header "Accept: application/vnd.oci.image.index.v1+json" \
--header "Authorization: Bearer $2" \
"$3" | jq -r '.layers[0].digest'
else
curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
--silent \
--location \
--request GET \
--header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
--header "Accept: application/vnd.oci.image.index.v1+json" \
--header "Authorization: Bearer $2" \
"$3" | jq -r '.fsLayers[0].blobSum'
fi
}
# Main run logic
run_mods() {
echo "[mod-init] Attempting to run Docker Modification Logic"
for DOCKER_MOD in $(echo "${DOCKER_MODS}" | tr '|' '\n'); do
# Support alternative endpoints
if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then
DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}"
ENDPOINT="${DOCKER_MOD%%:*}"
USERNAME="${DOCKER_MOD%%/*}"
REPO="${ENDPOINT#*/}"
TAG="${DOCKER_MOD#*:}"
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
TAG="latest"
fi
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull"
MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/"
MODE="ghcr"
else
ENDPOINT="${DOCKER_MOD%%:*}"
USERNAME="${DOCKER_MOD%%/*}"
REPO="${ENDPOINT#*/}"
TAG="${DOCKER_MOD#*:}"
if [[ ${TAG} == "${DOCKER_MOD}" ]]; then
TAG="latest"
fi
FILENAME="${USERNAME}.${REPO}.${TAG}"
AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull"
MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}"
BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/"
MODE="dockerhub"
fi
# Kill off modification logic if any of the usernames are banned
for BANNED in $(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt); do
if [[ "${BANNED,,}" == "${USERNAME,,}" ]]; then
if [[ -z ${RUN_BANNED_MODS+x} ]]; then
echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic"
return
else
echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied"
fi
fi
done
echo "[mod-init] Applying ${DOCKER_MOD} files to container"
# Get Dockerhub token for api operations
TOKEN="$(
curl -f --retry 10 --retry-max-time 60 --retry-connrefused \
--silent \
--header 'GET' \
"${AUTH_URL}" |
jq -r '.token'
)"
# Determine first and only layer of image
SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}")
# Check if we have allready applied this layer
if [[ -f "/${FILENAME}" ]] && [[ "${SHALAYER}" == "$(cat /"${FILENAME}")" ]]; then
echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping"
else
# Download and extract layer to /
curl -f --retry 10 --retry-max-time 60 --retry-all-errors \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"${BLOB_URL}${SHALAYER}" -o \
/modtarball.tar.xz
mkdir -p /tmp/mod
if ! tar -tzf /modtarball.tar.xz >/dev/null 2>&1; then
echo "Invalid tarball, could not download ${DOCKER_MOD}"
continue
fi
tar xzf /modtarball.tar.xz -C /tmp/mod
if [[ -d /tmp/mod/etc/s6-overlay ]]; then
if [[ -d /tmp/mod/etc/cont-init.d ]]; then
rm -rf /tmp/mod/etc/cont-init.d
fi
if [[ -d /tmp/mod/etc/services.d ]]; then
rm -rf /tmp/mod/etc/services.d
fi
fi
shopt -s dotglob
cp -R /tmp/mod/* /
shopt -u dotglob
rm -rf /tmp/mod
rm -rf /modtarball.tar.xz
echo "${SHALAYER}" >"/${FILENAME}"
echo "[mod-init] ${DOCKER_MOD} applied to container"
fi
done
}
# Run alias creation functions
create_lsiown_alias
create_with_contenv_alias
# Main script loop
if [[ ${S6_VERBOSITY} -ge 2 ]]; then
echo "[mod-init] Version ${MOD_SCRIPT_VER}"
fi
if [[ -d "${SCRIPTS_DIR}" ]] || [[ -d "${SERVICES_DIR}" ]]; then
tamper_check
process_custom_services
fi
# Run mod logic
if [[ -n "${DOCKER_MODS+x}" ]]; then
curl_check
run_mods
fi
# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods
set_legacy_executable_bits
Reference in New Issue View Git Blame Copy Permalink