From 50f2efcd7cff302ad9b5cff9baaef523864572ed Mon Sep 17 00:00:00 2001
From: thelamer <ryankuba@gmail.com>
Date: Tue, 23 Sep 2025 14:44:19 -0400
Subject: [PATCH] syntax and readme updates

---
 Dockerfile         | 4 +++-
 Dockerfile.aarch64 | 4 +++-
 README.md          | 9 +++++----
 readme-vars.yml    | 8 ++------
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 970d518..c31f708 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 FROM ghcr.io/linuxserver/baseimage-selkies:alpine322
 
 # set version label
@@ -31,6 +33,6 @@ RUN \
 COPY /root /
 
 # ports and volumes
-EXPOSE 3000
+EXPOSE 3001
 
 VOLUME /config
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index ee98ca9..08a77be 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 FROM ghcr.io/linuxserver/baseimage-selkies:arm64v8-alpine322
 
 # set version label
@@ -31,6 +33,6 @@ RUN \
 COPY /root /
 
 # ports and volumes
-EXPOSE 3000
+EXPOSE 3001
 
 VOLUME /config
diff --git a/README.md b/README.md
index 8c5845f..0be8a7f 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,8 @@ By default, this container has no authentication. The optional `CUSTOM_USER` and
 
 The web interface includes a terminal with passwordless `sudo` access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network.
 
+While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker, elevating the potential for container escape vulnerabilities.
+
 ### Options in all Selkies-based GUI containers
 
 This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies), which provides the following environment variables and run configurations to customize its functionality.
@@ -185,8 +187,6 @@ services:
   sqlitebrowser:
     image: lscr.io/linuxserver/sqlitebrowser:latest
     container_name: sqlitebrowser
-    security_opt:
-      - seccomp:unconfined #optional
     environment:
       - PUID=1000
       - PGID=1000
@@ -196,6 +196,7 @@ services:
     ports:
       - 3000:3000
       - 3001:3001
+    shm_size: "1gb"
     restart: unless-stopped
 ```
 
@@ -204,13 +205,13 @@ services:
 ```bash
 docker run -d \
   --name=sqlitebrowser \
-  --security-opt seccomp=unconfined `#optional` \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
   -p 3000:3000 \
   -p 3001:3001 \
   -v /path/to/config:/config \
+  --shm-size="1gb" \
   --restart unless-stopped \
   lscr.io/linuxserver/sqlitebrowser:latest
 ```
@@ -227,7 +228,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-v /config` | Users home directory in the container, stores program settings and potentially dump files. |
-| `--security-opt seccomp=unconfined` | For Docker Engine only, many modern gui apps need this to function on older hosts as syscalls are unknown to Docker. |
+| `--shm-size=` | Recommended for all desktop images. |
 
 ## Environment variables from files (Docker secrets)
 
diff --git a/readme-vars.yml b/readme-vars.yml
index 39000a3..4592582 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -17,9 +17,6 @@ development_versions: false
 # container parameters
 common_param_env_vars_enabled: true
 param_container_name: "{{ project_name }}"
-param_usage_include_env: true
-param_env_vars:
-  - {env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London."}
 param_usage_include_vols: true
 param_volumes:
   - {vol_path: "/config", vol_host_path: "/path/to/config", desc: "Users home directory in the container, stores program settings and potentially dump files."}
@@ -27,9 +24,8 @@ param_usage_include_ports: true
 param_ports:
   - {external_port: "3000", internal_port: "3000", port_desc: "Sqlitebrowser desktop gui HTTP, must be proxied."}
   - {external_port: "3001", internal_port: "3001", port_desc: "Sqlitebrowser desktop gui HTTPS."}
-opt_security_opt_param: true
-opt_security_opt_param_vars:
-  - {run_var: "seccomp=unconfined", compose_var: "seccomp:unconfined", desc: "For Docker Engine only, many modern gui apps need this to function on older hosts as syscalls are unknown to Docker."}
+custom_params:
+  - {name: "shm-size", name_compose: "shm_size", value: "1gb", desc: "Recommended for all desktop images."}
 # Selkies blurb settings
 selkies_blurb: true
 # application setup block