From f4c05cf9ccfbaf41b179b70264b9e9d1f4d1748e Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 10:50:14 -0400 Subject: [PATCH 1/7] Update 30-ownership.sh Make setting file permissions optional with SKIP_FILE_OWNERSHIP environment variable. --- .../s6-rc.d/prepare/30-ownership.sh | 50 +++++++++++-------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 378cc9ca..e4798423 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -3,26 +3,32 @@ set -e -log_info 'Setting ownership ...' +# Lowercase +SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]') -# root -chown root /tmp/nginx - -# npm user and group -chown -R "$PUID:$PGID" /data -chown -R "$PUID:$PGID" /etc/letsencrypt -chown -R "$PUID:$PGID" /run/nginx -chown -R "$PUID:$PGID" /tmp/nginx -chown -R "$PUID:$PGID" /var/cache/nginx -chown -R "$PUID:$PGID" /var/lib/logrotate -chown -R "$PUID:$PGID" /var/lib/nginx -chown -R "$PUID:$PGID" /var/log/nginx - -# Don't chown entire /etc/nginx folder as this causes crashes on some systems -chown -R "$PUID:$PGID" /etc/nginx/nginx -chown -R "$PUID:$PGID" /etc/nginx/nginx.conf -chown -R "$PUID:$PGID" /etc/nginx/conf.d - -# Prevents errors when installing python certbot plugins when non-root -chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin -find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+ +if [ "$SKIP_FILE_OWNERSHIP" == "false" ] || [ "$SKIP_FILE_OWNERSHIP" == "off" ] || [ "$SKIP_FILE_OWNERSHIP" == "0" ] || [ "$SKIP_FILE_OWNERSHIP" == "no" ]; then + log_info 'Skipping ownership, use only with caution ...' +else + log_info 'Setting ownership ...' + # root + chown root /tmp/nginx + + # npm user and group + chown -R "$PUID:$PGID" /data + chown -R "$PUID:$PGID" /etc/letsencrypt + chown -R "$PUID:$PGID" /run/nginx + chown -R "$PUID:$PGID" /tmp/nginx + chown -R "$PUID:$PGID" /var/cache/nginx + chown -R "$PUID:$PGID" /var/lib/logrotate + chown -R "$PUID:$PGID" /var/lib/nginx + chown -R "$PUID:$PGID" /var/log/nginx + + # Don't chown entire /etc/nginx folder as this causes crashes on some systems + chown -R "$PUID:$PGID" /etc/nginx/nginx + chown -R "$PUID:$PGID" /etc/nginx/nginx.conf + chown -R "$PUID:$PGID" /etc/nginx/conf.d + + # Prevents errors when installing python certbot plugins when non-root + chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin + find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+ +fi From c1e37019441a21dd06d04c4aa0ee726d003bab8d Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 11:45:27 -0400 Subject: [PATCH 2/7] Update 30-ownership.sh Fix bad boolean logic --- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index e4798423..3f1647af 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -6,7 +6,7 @@ set -e # Lowercase SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]') -if [ "$SKIP_FILE_OWNERSHIP" == "false" ] || [ "$SKIP_FILE_OWNERSHIP" == "off" ] || [ "$SKIP_FILE_OWNERSHIP" == "0" ] || [ "$SKIP_FILE_OWNERSHIP" == "no" ]; then +if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then log_info 'Skipping ownership, use only with caution ...' else log_info 'Setting ownership ...' From 0232ebf3ba9d957f86516553104eb81744207d1a Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 11:56:55 -0400 Subject: [PATCH 3/7] Update 50-ipv6.sh --- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index 0c4d261c..8f831eb3 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -10,6 +10,7 @@ log_info 'IPv6 ...' # Lowercase DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]') +SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]') process_folder () { FILES=$(find "$1" -type f -name "*.conf") @@ -31,8 +32,12 @@ process_folder () { echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE done - # ensure the files are still owned by the npm user - chown -R "$PUID:$PGID" "$1" + if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then + log_info 'Skipping ownership, use only with caution ...' + else + # ensure the files are still owned by the npm user + chown -R "$PUID:$PGID" "$1" + fi } process_folder /etc/nginx/conf.d From 6da6d87ffd57461fe994094fde7f7295e18f8bc1 Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 12:15:06 -0400 Subject: [PATCH 4/7] Update 50-ipv6.sh Fix boolean logic for IPv6 --- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index 8f831eb3..cb78a13c 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -32,9 +32,9 @@ process_folder () { echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE done - if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then + if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then log_info 'Skipping ownership, use only with caution ...' - else + else # ensure the files are still owned by the npm user chown -R "$PUID:$PGID" "$1" fi From 78b3822c749e7d53adc5f6c6eea0daa5c0991346 Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 12:31:49 -0400 Subject: [PATCH 5/7] Tuning what needs to be chowned --- .../s6-rc.d/prepare/30-ownership.sh | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 3f1647af..a50a9a2e 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -7,7 +7,29 @@ set -e SKIP_FILE_OWNERSHIP=$(echo "${SKIP_FILE_OWNERSHIP:-}" | tr '[:upper:]' '[:lower:]') if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then - log_info 'Skipping ownership, use only with caution ...' + log_info 'Skipping data and letsencrypt ownership, use only with caution ...' + # root + chown -R "$PUID:$PGID" /run/nginx + chown -R "$PUID:$PGID" /tmp/nginx + chown -R "$PUID:$PGID" /var/cache/nginx + chown -R "$PUID:$PGID" /var/lib/logrotate + chown -R "$PUID:$PGID" /var/lib/nginx + chown -R "$PUID:$PGID" /var/log/nginx + + # Don't chown entire /etc/nginx folder as this causes crashes on some systems + chown -R "$PUID:$PGID" /etc/nginx/nginx + chown -R "$PUID:$PGID" /etc/nginx/nginx.conf + chown -R "$PUID:$PGID" /etc/nginx/conf.d + + # Don't chown entire /etc/nginx folder as this causes crashes on some systems + chown -R "$PUID:$PGID" /etc/nginx/nginx + chown -R "$PUID:$PGID" /etc/nginx/nginx.conf + chown -R "$PUID:$PGID" /etc/nginx/conf.d + + # Prevents errors when installing python certbot plugins when non-root + chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin + find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+ + else log_info 'Setting ownership ...' # root From 8fbe585470bc4a45568cf9d96576a7a73f054154 Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 12:36:38 -0400 Subject: [PATCH 6/7] Chown is ok for files on base image... --- .../rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index cb78a13c..da088425 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -32,13 +32,17 @@ process_folder () { echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE done - if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then - log_info 'Skipping ownership, use only with caution ...' - else + # ensure the files are still owned by the npm user chown -R "$PUID:$PGID" "$1" fi } +# process files on base image process_folder /etc/nginx/conf.d -process_folder /data/nginx +# conditionally process files that are probably in a volume or bind +if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then + log_info 'Skipping ownership, use only with caution ...' +else + process_folder /data/nginx +fi From 599ddd1a3937393d7b2a91dfec9f708d75d93a8c Mon Sep 17 00:00:00 2001 From: ian351c Date: Wed, 5 Jun 2024 22:30:29 -0400 Subject: [PATCH 7/7] Update 50-ipv6.sh Clean up log_info messages. Otherwise this appears to work... --- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index da088425..6c4a5212 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -42,7 +42,7 @@ process_folder () { process_folder /etc/nginx/conf.d # conditionally process files that are probably in a volume or bind if [ "$SKIP_FILE_OWNERSHIP" == "true" ] || [ "$SKIP_FILE_OWNERSHIP" == "on" ] || [ "$SKIP_FILE_OWNERSHIP" == "1" ] || [ "$SKIP_FILE_OWNERSHIP" == "yes" ]; then - log_info 'Skipping ownership, use only with caution ...' + log_info 'Skipping data and letsencrypt ownership, use only with caution ...' else process_folder /data/nginx fi