From a7e2b20ca24a3b898bd3deb6658dce185781c0c5 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 11 May 2025 14:33:51 +0100 Subject: [PATCH] Support ro/non-root --- .editorconfig | 0 .github/CONTRIBUTING.md | 0 .github/FUNDING.yml | 0 .github/ISSUE_TEMPLATE/config.yml | 0 .github/ISSUE_TEMPLATE/issue.bug.yml | 0 .github/ISSUE_TEMPLATE/issue.feature.yml | 0 .github/workflows/call_issue_pr_tracker.yml | 0 .github/workflows/call_issues_cron.yml | 0 .github/workflows/greetings.yml | 0 .github/workflows/permissions.yml | 0 LICENSE | 0 README.md | 19 +++++++++++++ readme-vars.yml | 7 +++++ .../s6-overlay/s6-rc.d/init-code-server/run | 28 ++++++++++--------- .../s6-overlay/s6-rc.d/svc-code-server/run | 19 +++++++++++-- 15 files changed, 57 insertions(+), 16 deletions(-) mode change 100755 => 100644 .editorconfig mode change 100755 => 100644 .github/CONTRIBUTING.md mode change 100755 => 100644 .github/FUNDING.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/config.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.bug.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.feature.yml mode change 100755 => 100644 .github/workflows/call_issue_pr_tracker.yml mode change 100755 => 100644 .github/workflows/call_issues_cron.yml mode change 100755 => 100644 .github/workflows/greetings.yml mode change 100755 => 100644 .github/workflows/permissions.yml mode change 100755 => 100644 LICENSE diff --git a/.editorconfig b/.editorconfig old mode 100755 new mode 100644 diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md old mode 100755 new mode 100644 diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/call_issues_cron.yml b/.github/workflows/call_issues_cron.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml old mode 100755 new mode 100644 diff --git a/LICENSE b/LICENSE old mode 100755 new mode 100644 diff --git a/README.md b/README.md index d1a5f0f..c8d70c6 100644 --- a/README.md +++ b/README.md @@ -78,6 +78,23 @@ git config --global user.email "email address" How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed). +## Read-Only Operation + +This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/). + +### Caveats + +* `/tmp` must be mounted to tmpfs +* sudo will not be available + +## Non-Root Operation + +This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/). + +### Caveats + +* sudo will not be available + ## Usage To help you get started creating a container from this image you can either use docker-compose or the docker cli. @@ -147,6 +164,8 @@ Containers are configured using parameters passed at runtime (such as those abov | `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) | | `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default | | `-v /config` | Contains all relevant configuration files. | +| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). | +| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). | ## Environment variables from files (Docker secrets) diff --git a/readme-vars.yml b/readme-vars.yml index a6a29ef..f2722d7 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -36,6 +36,13 @@ opt_param_env_vars: - {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."} - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"} - {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"} +readonly_supported: true +readonly_message: | + * `/tmp` must be mounted to tmpfs + * sudo will not be available +nonroot_supported: true +nonroot_message: | + * sudo will not be available # application setup block app_setup_block_enabled: true app_setup_block: | diff --git a/root/etc/s6-overlay/s6-rc.d/init-code-server/run b/root/etc/s6-overlay/s6-rc.d/init-code-server/run index c0fcead..0dfd55c 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-code-server/run +++ b/root/etc/s6-overlay/s6-rc.d/init-code-server/run @@ -26,17 +26,19 @@ if [[ ! -f /config/.profile ]]; then cp /root/.profile /config/.profile fi -# fix permissions (ignore contents of workspace) -PUID=${PUID:-911} -if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then - echo "Change in ownership or new install detected, please be patient while we chown existing files" - echo "This could take some time" - find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} + - lsiown abc:abc /config/workspace -fi -chmod 700 /config/.ssh -if [[ -n "$(ls -A /config/.ssh)" ]]; then - find /config/.ssh/ -type d -exec chmod 700 '{}' \; - find /config/.ssh/ -type f -exec chmod 600 '{}' \; - find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \; +if [[ -z ${LSIO_NON_ROOT_USER} ]]; then + # fix permissions (ignore contents of workspace) + PUID=${PUID:-911} + if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then + echo "Change in ownership or new install detected, please be patient while we chown existing files" + echo "This could take some time" + find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} + + lsiown abc:abc /config/workspace + fi + chmod 700 /config/.ssh + if [[ -n "$(ls -A /config/.ssh)" ]]; then + find /config/.ssh/ -type d -exec chmod 700 '{}' \; + find /config/.ssh/ -type f -exec chmod 600 '{}' \; + find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \; + fi fi diff --git a/root/etc/s6-overlay/s6-rc.d/svc-code-server/run b/root/etc/s6-overlay/s6-rc.d/svc-code-server/run index 97c7e09..1667e37 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-code-server/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-code-server/run @@ -14,9 +14,21 @@ else PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}" fi -exec \ - s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \ - s6-setuidgid abc \ +if [[ -z ${LSIO_NON_ROOT_USER} ]]; then + exec \ + s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \ + s6-setuidgid abc \ + /app/code-server/bin/code-server \ + --bind-addr 0.0.0.0:8443 \ + --user-data-dir /config/data \ + --extensions-dir /config/extensions \ + --disable-telemetry \ + --auth "${AUTH}" \ + "${PROXY_DOMAIN_ARG}" \ + "${DEFAULT_WORKSPACE:-/config/workspace}" +else + exec \ + s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \ /app/code-server/bin/code-server \ --bind-addr 0.0.0.0:8443 \ --user-data-dir /config/data \ @@ -25,3 +37,4 @@ exec \ --auth "${AUTH}" \ "${PROXY_DOMAIN_ARG}" \ "${DEFAULT_WORKSPACE:-/config/workspace}" +fi