From 4ef2f48a471b345c58be50820e8a8d908223f93d Mon Sep 17 00:00:00 2001 From: Azlux Date: Mon, 3 Jun 2024 17:25:01 +0200 Subject: [PATCH] No USER in dockerfile anymore --- Dockerfile | 1 - README.md | 4 +++- entrypoint.sh | 22 ++++++++++++++++++++-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c03df1a..8c9e091 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,7 +73,6 @@ COPY --from=build /mumble/repo/build/mumble-server /usr/bin/mumble-server COPY --from=build /mumble/repo/default_config.ini /etc/mumble/bare_config.ini RUN mkdir -p /data && chown -R mumble:mumble /data && chown -R mumble:mumble /etc/mumble -USER mumble EXPOSE 64738/tcp 64738/udp COPY entrypoint.sh /entrypoint.sh diff --git a/README.md b/README.md index 5a9e5ed..ae761de 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ The following _additional_ variables can be set for further server configuration |----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------- | | `MUMBLE_ACCEPT_UNKNOWN_SETTINGS` | Set to `true` to force the container to accept unknown settings passed as a `MUMBLE_CONFIG_` variable (see note below). | | `MUMBLE_CUSTOM_CONFIG_FILE` | Specify a custom config file path - **all `MUMBLE_CONFIG_` variables are IGNORED**
(it's best to use a path inside the volume `/data/`) | +| `MUMBLE_NO_CHOWN` | Set to `true` to avoid the entrypoint to `chown` you `/data` folder | | `MUMBLE_SUPERUSER_PASSWORD` | Specifies the SuperUser (Admin) password for this server. If this is not given, a random password will be generated upon first startup. | | `MUMBLE_VERBOSE` | Set to `true` to enable verbose logging in the server | @@ -160,8 +161,9 @@ process employed by this Docker image. ### Using a different UID/GID Additionally, it is possible to specify the UID and the GID of the `mumble` user that is used inside the container. These can be controlled by the -`MUMBLE_UID` and `MUMBLE_GID` build variables respectively. This is intended to allow you to use the same UID and GID as your user on your host +`MUMBLE_UID` and `MUMBLE_GID` entrypoint variables respectively. This is intended to allow you to use the same UID and GID as your user on your host system, in order to cause minimal issues when accessing mounted volumes. +By default, the entrypoint will `chown` the `/data` folder to have good rights on the mounted folder. If your system don't allow changing owner from the container itself or if you don't want to entrypoint to modify the rights in any way other by you, you can set the environment variable : `MUMBLE_NO_CHOWN` to `true`. ### Using custom build options diff --git a/entrypoint.sh b/entrypoint.sh index b264220..17e74b8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,6 +5,8 @@ readonly DATA_DIR="/data" readonly BARE_BONES_CONFIG_FILE="/etc/mumble/bare_config.ini" readonly CONFIG_REGEX="^(\;|\#)?\ *([a-zA-Z_0-9]+)=.*" CONFIG_FILE="${DATA_DIR}/mumble_server_config.ini" +MUMBLE_UID=${MUMBLE_UID:-10000} +MUMBLE_GID=${MUMBLE_GID:-10000} readonly SENSITIVE_CONFIGS=( "dbPassword" @@ -159,11 +161,27 @@ if [[ -n "${MUMBLE_SUPERUSER_PASSWORD}" ]]; then fi # Show /data permissions, in case the user needs to match the mount point access -echo "Running Mumble server as uid=$(id -u) gid=$(id -g)" +echo "Entrypoint running as uid=$(id -u) gid=$(id -g)" +echo "Preparing Mumble server to run as uid=$(MUMBLE_UID) gid=$(MUMBLE_GID)" + +if [[ "$MUMBLE_UID" != "0" ]]; then + groupmod -og "$MUMBLE_GID" mumble + usermod -ou "$MUMBLE_UID" mumble + if [[ "$MUMBLE_NO_CHOWN" = true ]]; then + echo "Changing owner of folder {DATA_DIR}" + chown -R mumble:mumble ${DATA_DIR} + fi + exec runuser -u mumble -g mumble -- "$@" +fi + echo "\"${DATA_DIR}\" has the following permissions set:" echo " $( stat ${DATA_DIR} --printf='%A, owner: \"%U\" (UID: %u), group: \"%G\" (GID: %g)' )" echo "Command run to start the service : ${server_invocation[*]}" echo "Starting..." -exec "${server_invocation[@]}" +if [[ "$MUMBLE_UID" != "0" ]]; then + exec runuser -u mumble -g mumble -- "${server_invocation[@]}" +else + exec "${server_invocation[@]}" +fi