RedXen/Containers
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Misc unpriviledged fixes

Browse Source
This commit is contained in:
Alex D. 2025-04-01 14:48:43 +00:00
parent bb47afb053
commit e7e8cbb288
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
10 changed files with 155 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
redxen.eu/daemons/gitea/base/Containerfile
View File

@ -1,9 +1,9 @@
FROM gitea/gitea:latest-rootless
# Image is based on go-alpine, apk is available
COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/ca.crt
COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/certs/gitea.crt /usr/share/redxen/postgresql/gitea.crt
COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/keys/gitea.key /usr/share/redxen/postgresql/gitea.key
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/ca.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/certs/gitea.crt /usr/share/redxen/postgresql/gitea.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/keys/gitea.key /usr/share/redxen/postgresql/gitea.key
WORKDIR /etc/gitea
@ -12,12 +12,14 @@ ENV GITEA_WORK_DIR=/var/lib/gitea
ENV GITEA_APP_INI=/etc/gitea/app.ini
ADD config.ini app.ini
COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /secret_key secret_key
COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /internal_token internal_token
COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /jwt_secret jwt_secret
COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /mailer_password mailer_passwd
COPY --from=redxen.eu/data/secrets/gitea:latest /secret_key secret_key
COPY --from=redxen.eu/data/secrets/gitea:latest /internal_token internal_token
COPY --from=redxen.eu/data/secrets/gitea:latest /jwt_secret jwt_secret
COPY --from=redxen.eu/data/secrets/gitea:latest /mailer_password mailer_passwd
USER root
RUN chown -Rv 10000:10000 ./
WORKDIR /var/lib/gitea
USER 10000:10000
ENTRYPOINT [""]
CMD ["gitea", "-c", "/etc/gitea/app.ini", "web"]

9
redxen.eu/daemons/grafana/Containerfile
View File

@ -1,12 +1,15 @@
FROM grafana/grafana:latest
# See GF_PATHS_HOME from the dockerfile where the unprivildged user is created
COPY --chown=472:0 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/root.crt
COPY --chown=472:0 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/certs/grafana.crt /usr/share/redxen/postgresql/postgresql.crt
COPY --chown=472:0 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/keys/grafana.key /usr/share/redxen/postgresql/postgresql.key
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/root.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/certs/grafana.crt /usr/share/redxen/postgresql/postgresql.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/keys/grafana.key /usr/share/redxen/postgresql/postgresql.key
WORKDIR /etc/redxen/grafana/
ENV GF_PATHS_CONFIG=/etc/redxen/grafana/config.ini
ADD config.ini config.ini
USER root
RUN chown -Rv 10000:10000 ./
USER 10000:10000

20
redxen.eu/daemons/murmurd/Containerfile
View File

@ -4,13 +4,19 @@ RUN --network=host apk add \
murmur \
qt5-qtbase-postgresql
COPY --from=redxen.eu/data/pki/letsencrypt:latest /ca.cer /etc/redxen/mumble-cert/ca.crt
COPY --from=redxen.eu/data/pki/letsencrypt:latest /cert.cer /etc/redxen/mumble-cert/mumble.crt
COPY --from=redxen.eu/data/pki/letsencrypt:latest /cert.key /etc/redxen/mumble-cert/mumble.key
COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /ca.cer /etc/redxen/mumble-cert/ca.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /cert.cer /etc/redxen/mumble-cert/mumble.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /cert.key /etc/redxen/mumble-cert/mumble.key
COPY --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /root/.postgresql/root.crt
COPY --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/certs/murmur.crt /root/.postgresql/postgresql.crt
COPY --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/keys/murmur.key /root/.postgresql/postgresql.key
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgresql/root.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/certs/murmur.crt /etc/redxen/postgresql/postgresql.crt
COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/keys/murmur.key /etc/redxen/postgresql/postgresql.key
ENV \
PGSSLCERT=/etc/redxen/postgresql/postgresql.crt \
PGSSLKEY=/etc/redxen/postgresql/postgresql.key \
PGSSLROOTCERT=/etc/redxen/postgresql/root.crt \
PGSSLMODE=verify-ca
WORKDIR /etc/redxen/murmur
@ -18,5 +24,7 @@ ADD murmur.ini murmur.ini
RUN \
--mount=type=bind,from=redxen.eu/data/secrets/murmurd:latest,src=/,dst=/run/secrets \
echo "registerPassword=$(cat /run/secrets/register_password)" >> murmur.ini
RUN chown -Rv 10000:10000 ./
USER 10000:10000
CMD ["murmurd", "-fg", "-ini", "murmur.ini"]

6
redxen.eu/daemons/nginx/base/Containerfile
View File

@ -8,12 +8,18 @@ RUN --network=host apk add \
WORKDIR /etc/redxen/nginx
USER root
RUN mkdir -p module/
ADD nginx.conf ./nginx.conf
ADD start.sh ./start.sh
RUN chmod +x ./start.sh
RUN mkdir -pv /run/nginx /var/lib/nginx
RUN chown -Rc 10000:10000 ./ /run/nginx /var/lib/nginx
# Test as root, nginx does too much bullshit beyond validation
RUN ./start.sh -t
USER 10000:10000
CMD ["./start.sh"]

6
redxen.eu/daemons/nginx/base/nginx.conf
View File

@ -1,4 +1,4 @@
error_log stderr;
error_log /proc/self/fd/2;
worker_processes auto;
worker_cpu_affinity auto;
@ -11,13 +11,15 @@ load_module "/usr/lib/nginx/modules/ngx_http_dav_ext_module.so";
events {}
http {
access_log stdout;
access_log /proc/self/fd/1;
gzip on;
gzip_vary on;
tcp_nopush on;
tcp_nodelay on;
absolute_redirect off;
keepalive_timeout 300;
client_max_body_size 0;
directio 4m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include module/*.conf;

3
redxen.eu/daemons/nginx/base/start.sh
View File

@ -2,6 +2,7 @@
exec nginx \
-p /etc/redxen/nginx \
-g 'daemon off; error_log stderr info;' \
-e stderr \
-g 'daemon off;' \
-c nginx.conf \
$@

4
redxen.eu/daemons/nginx/homepage/Containerfile
View File

@ -4,4 +4,8 @@ ADD homepage.conf module/homepage.conf
COPY --from=redxen.eu/data/homepage/combined:latest / /homepage
USER root
# Test as root, nginx does too much bullshit beyond validation
RUN ./start.sh -t
USER 10000:10000

12
redxen.eu/daemons/postgres/Containerfile
View File

@ -19,22 +19,20 @@ RUN ./postgres-seeder \
FROM postgres:alpine
# FUCK YOU I PROVIDE MY OWN HBA EAT FUCKING SHIT
RUN --network=host apk add \
patch
ADD disable-hba-patcher.patch /tmp/disable-hba-patcher.patch
RUN patch -p0 /usr/local/bin/docker-entrypoint.sh /tmp/disable-hba-patcher.patch
# Certificates
COPY --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgres-cert/redxen.eu/certs/ca.crt
COPY --from=redxen.eu/data/pki/self/client/postgres:latest /redxen.eu/certs/postgres.crt /etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt
COPY --from=redxen.eu/data/pki/self/client/postgres:latest /redxen.eu/keys/postgres.key /etc/redxen/postgres-cert/redxen.eu/keys/postgres.key
RUN chown -Rv postgres:postgres /etc/redxen/postgres-cert/
# Customized init script
ADD init.sh /usr/libexec/init.sh
RUN chmod +x /usr/libexec/init.sh
ADD postgresql.conf /etc/postgresql/postgresql.conf
COPY --from=init /root/pg_hba.conf /etc/postgresql/pg_hba.conf
COPY --from=init /root/init.sql /docker-entrypoint-initdb.d/init.sql
ADD databases/mail.sql /docker-entrypoint-initdb.d/mail.sql
# TODO: https://hub.docker.com/_/postgres > Initialisation scripts (Database)
ENTRYPOINT [""]
CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

9
redxen.eu/daemons/postgres/disable-hba-patcher.patch
View File

@ -1,9 +0,0 @@
@@ -310,8 +257,6 @@
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- docker_verify_minimum_env
-
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null

104
redxen.eu/daemons/postgres/init.sh Normal file
View File

@ -0,0 +1,104 @@
#!/usr/bin/env bash
set -Eeo pipefail
docker_process_init_files() {
printf '\n'
local f
for f; do
case "$f" in
*.sh)
# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
# https://github.com/docker-library/postgres/pull/452
if [ -x "$f" ]; then
printf '%s: running %s\n' "$0" "$f"
"$f"
else
printf '%s: sourcing %s\n' "$0" "$f"
. "$f"
fi
;;
*.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
*.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
*.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
*) printf '%s: ignoring %s\n' "$0" "$f" ;;
esac
printf '\n'
done
}
# Execute sql script, passed via stdin (or -f flag of pqsl)
# usage: docker_process_sql [psql-cli-args]
# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
# ie: docker_process_sql -f my-file.sql
# ie: docker_process_sql <my-file.sql
docker_process_sql() {
PGHOST= \
PGHOSTADDR= \
PGUSER="${POSTGRES_USER}" \
psql \
-v ON_ERROR_STOP=1 \
--username "$POSTGRES_USER" \
--no-password \
--no-psqlrc \
$@
}
# Loads various settings that are used elsewhere in the script
# This should be called before any other functions
docker_setup_env() {
: ${PGDATA:=/var/lib/postgresql/data}
: ${POSTGRES_USER:=postgres}
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
fi
}
docker_initdb() {
NOTIFY_SOCKET= \
PGUSER="${POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-w initdb
}
# start socket-only postgresql server for setting up or running scripts
# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
docker_temp_server_start() {
# internal start of server in order to allow setup using psql client
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
# any process supervisor.
NOTIFY_SOCKET= \
PGUSER="${POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
-w start
}
# stop postgresql server after done setting up user and running scripts
docker_temp_server_stop() {
PGUSER="${POSTGRES_USER}" \
pg_ctl -D "$PGDATA" -m fast -w stop
}
_main() {
docker_setup_env
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_initdb
docker_temp_server_start "$@"
docker_process_init_files /docker-entrypoint-initdb.d/*
docker_temp_server_stop
cat <<-'EOM'
PostgreSQL init process complete; ready for start up.
EOM
else
cat <<-'EOM'
PostgreSQL Database directory appears to contain a database; Skipping initialization
EOM
fi
}
_main "$@"