From 2cc6bad069f3f112c0a67eaef36bc90c3989623e Mon Sep 17 00:00:00 2001 From: Christian Busch Date: Sun, 26 Apr 2026 16:57:28 +0200 Subject: [PATCH] Run script in conatiner as unrivileged user. --- docker/Dockerfile | 5 +++++ docker/docker-compose.yml | 2 +- docker/entrypoint.sh | 24 +++++++++++++++++++++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 83cb595..07f3912 100755 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -2,6 +2,8 @@ FROM alpine:latest ENV TZ="UTC" ENV SCHEDULE="* * * * *" +ENV PUID=1000 +ENV PGID=1000 ## Configure runtime variables for nsupdate ENV NSUPDATE_CONFD_DIR="/config" @@ -24,6 +26,9 @@ RUN chmod +x /usr/local/bin/nsupdate.sh COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod +x /usr/local/bin/entrypoint.sh +# Create volume directories (ownership will be set at runtime) +RUN mkdir -p /config /log + ## Start crond ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] CMD [ "crond", "-f" ] diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 46a63e4..e00b1c2 100755 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,7 +5,7 @@ services: image: git.debilux.org/chris/nsupdate container_name: nsupdate environment: - - SCHEDULE="*\2 * * * *" + - SCHEDULE=*\2 * * * * - TZ=Europe/Berlin - NSUPDATE_INWX_USER=YOUR_INWX_USERNAME - NSUPDATE_INWX_PASSWORD=YOUR_INWX_PASSWORD diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 66d0be5..456f448 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -4,9 +4,31 @@ set -eu SCHEDULE="${SCHEDULE:-* * * * *}" CRON_LOG_LEVEL="${CRON_LOG_LEVEL:-2}" +PUID="${PUID:-1000}" +PGID="${PGID:-1000}" CRON_FILE="/etc/crontabs/root" -printf '%s /usr/local/bin/nsupdate.sh\n' "${SCHEDULE}" > "${CRON_FILE}" +# Create or update group with specified PGID +if grep -q "^nsupdate:" /etc/group 2>/dev/null; then + delgroup nsupdate 2>/dev/null || true +fi +addgroup -g "${PGID}" nsupdate 2>/dev/null || true + +# Create or update user with specified PUID +if grep -q "^nsupdate:" /etc/passwd 2>/dev/null; then + deluser nsupdate 2>/dev/null || true +fi +adduser -u "${PUID}" -G nsupdate -s /sbin/nologin -D nsupdate 2>/dev/null || true + +# Set ownership of volumes +chown -R "${PUID}:${PGID}" /config /log + +# Ensure crontabs directory exists +mkdir -p "$(dirname "${CRON_FILE}")" + +# Write cron job to run as the specified user (by UID:GID) +printf '%s su -s /bin/sh %s:%s -c /usr/local/bin/nsupdate.sh\n' "${SCHEDULE}" "${PUID}" "${PGID}" > "${CRON_FILE}" +chmod 600 "${CRON_FILE}" if [ "$#" -gt 0 ]; then if [ "$1" = "crond" ]; then