Upstream/ls-code-server
2
0
Fork 0
mirror of https://github.com/linuxserver/docker-code-server.git synced 2025-05-15 19:59:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Support ro/non-root

Browse Source
This commit is contained in:
thespad 2025-05-11 14:33:51 +01:00
parent badac0c5f0
commit a7e2b20ca2
No known key found for this signature in database
15 changed files with 57 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
.editorconfig Executable file → Normal file
View File

0
.github/CONTRIBUTING.md vendored Executable file → Normal file
View File

0
.github/FUNDING.yml vendored Executable file → Normal file
View File

0
.github/ISSUE_TEMPLATE/config.yml vendored Executable file → Normal file
View File

0
.github/ISSUE_TEMPLATE/issue.bug.yml vendored Executable file → Normal file
View File

0
.github/ISSUE_TEMPLATE/issue.feature.yml vendored Executable file → Normal file
View File

0
.github/workflows/call_issue_pr_tracker.yml vendored Executable file → Normal file
View File

0
.github/workflows/call_issues_cron.yml vendored Executable file → Normal file
View File

0
.github/workflows/greetings.yml vendored Executable file → Normal file
View File

0
.github/workflows/permissions.yml vendored Executable file → Normal file
View File

0
LICENSE Executable file → Normal file
View File

19
README.md
View File

@ -78,6 +78,23 @@ git config --global user.email "email address"
How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed). How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed).
## Read-Only Operation
This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
### Caveats
* `/tmp` must be mounted to tmpfs
* sudo will not be available
## Non-Root Operation
This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
### Caveats
* sudo will not be available
## Usage ## Usage
To help you get started creating a container from this image you can either use docker-compose or the docker cli. To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@ -147,6 +164,8 @@ Containers are configured using parameters passed at runtime (such as those abov
| `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) | | `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) |
| `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default | | `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default |
| `-v /config` | Contains all relevant configuration files. | | `-v /config` | Contains all relevant configuration files. |
| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
## Environment variables from files (Docker secrets) ## Environment variables from files (Docker secrets)

7
readme-vars.yml
View File

@ -36,6 +36,13 @@ opt_param_env_vars:
- {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."} - {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."}
- {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"} - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"}
- {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"} - {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"}
readonly_supported: true
readonly_message: |
* `/tmp` must be mounted to tmpfs
* sudo will not be available
nonroot_supported: true
nonroot_message: |
* sudo will not be available
# application setup block # application setup block
app_setup_block_enabled: true app_setup_block_enabled: true
app_setup_block: | app_setup_block: |

14
root/etc/s6-overlay/s6-rc.d/init-code-server/run
View File

@ -26,17 +26,19 @@ if [[ ! -f /config/.profile ]]; then
cp /root/.profile /config/.profile cp /root/.profile /config/.profile
fi fi
# fix permissions (ignore contents of workspace) if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
PUID=${PUID:-911} # fix permissions (ignore contents of workspace)
if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then PUID=${PUID:-911}
if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
echo "Change in ownership or new install detected, please be patient while we chown existing files" echo "Change in ownership or new install detected, please be patient while we chown existing files"
echo "This could take some time" echo "This could take some time"
find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} + find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} +
lsiown abc:abc /config/workspace lsiown abc:abc /config/workspace
fi fi
chmod 700 /config/.ssh chmod 700 /config/.ssh
if [[ -n "$(ls -A /config/.ssh)" ]]; then if [[ -n "$(ls -A /config/.ssh)" ]]; then
find /config/.ssh/ -type d -exec chmod 700 '{}' \; find /config/.ssh/ -type d -exec chmod 700 '{}' \;
find /config/.ssh/ -type f -exec chmod 600 '{}' \; find /config/.ssh/ -type f -exec chmod 600 '{}' \;
find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \; find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \;
fi
fi fi

15
root/etc/s6-overlay/s6-rc.d/svc-code-server/run
View File

@ -14,7 +14,8 @@ else
PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}" PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}"
fi fi
exec \ if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
exec \
s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \ s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
s6-setuidgid abc \ s6-setuidgid abc \
/app/code-server/bin/code-server \ /app/code-server/bin/code-server \
@ -25,3 +26,15 @@ exec \
--auth "${AUTH}" \ --auth "${AUTH}" \
"${PROXY_DOMAIN_ARG}" \ "${PROXY_DOMAIN_ARG}" \
"${DEFAULT_WORKSPACE:-/config/workspace}" "${DEFAULT_WORKSPACE:-/config/workspace}"
else
exec \
s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
/app/code-server/bin/code-server \
--bind-addr 0.0.0.0:8443 \
--user-data-dir /config/data \
--extensions-dir /config/extensions \
--disable-telemetry \
--auth "${AUTH}" \
"${PROXY_DOMAIN_ARG}" \
"${DEFAULT_WORKSPACE:-/config/workspace}"
fi