run as non root and non host network mode

2026-03-18 15:23:51 +01:00 · 2025-01-31 06:32:09 +08:00
parent 357897a0cd
commit b3290e2665
15 changed files with 107 additions and 73 deletions
--- a/scripts/docker-start.sh
+++ b/scripts/docker-start.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+echo "Running as PUID: ${PUID}, PGID: ${PGID}"
+echo "Creating user"
+addgroup -S -g "${PGID}" godoxyg
+adduser -S -D -H -s /bin/false -u "${PUID}" -g "${PGID}" godoxy
+
+echo "Setting up permissions"
+chown -R godoxy:godoxyg /app
+setcap CAP_NET_BIND_SERVICE=+eip /app/godoxy
+
+# fork docker socket if exists
+if test -e /var/run/docker.sock; then
+	echo "Proxying docker socket"
+	socat -v "UNIX-LISTEN:${SOCKET_FORK}",fork UNIX-CONNECT:/var/run/docker.sock >/dev/null 2>&1 &
+	# wait for socket to be ready
+	while [ ! -S "${SOCKET_FORK}" ]; do
+		sleep 0.1
+	done
+	chmod 660 "${SOCKET_FORK}"
+	chown godoxy:godoxyg "${SOCKET_FORK}"
+fi
+
+echo "Done"
+
+runuser -u godoxy -g godoxyg -- /app/godoxy