The Wayback Machine - https://web.archive.org/web/20201127234606/https://github.com/itzg/entrypoint-demoter
Skip to content

/ entrypoint-demoter

Container entry point that can demote uid and gid from environment variables or matching directory

MIT License
2 stars 0 forks
Star
Watch
master
2 branches 4 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
 
 
cmd/entrypoint-demoter
 
 
.dockerignore
 
 
.gitignore
 
 
.goreleaser.yml
 
 
Dockerfile.test
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
go.mod
 
 
go.sum
 
 
handler.go
 
 
resolve_unix.go
 
 
resolve_windows.go
 
 
run.go
 
 
test.sh
 
 

README.md

CircleCI GitHub release

Motivation

It is highly recommended that processes within containers do not run as root in order to prevent container breakouts; however, that goal is hard to maintain when attached volumes come into play. For example, Synology's DiskStation manages ownership of attachable volumes as regular UNIX users; however, its Docker integration doesn't allow for aligning the container's user with what is normally -u on the docker run command-line.

entrypoint-demoter solves this types of scenarios by allowing the container to momentarily run as root, but demote the initial sub-command to either match the ownership of a given path or be explicitly defined by UID/GID environment variables.

Usage

The command line arguments remaining after the options below are used to execute a sub-command with the demoted user ID (uid) and group ID (gid).

If executed as a non-root user, then this tool skips demoting entirely and just executes the sub-command with the current uid and gid.

Environment variables

  • UID : if set, demotes the sub-command to run with the given user ID
  • GID : if set, demotes the sub-command to run with the given group ID

Command-line

  • --match PATH : uses the ownership of the given path to determine a user and group ID
  • --stdin-on-term MESSAGE : some applications prefer to be gracefully stopped with a command on stdin rather than handling SIGTERM, such as Minecraft servers. The MESSAGE and a newline will be written to the sub-command's stdin when a TERM signal is received.
  • --debug : enables debug logging
  • --version : show version and exit

Example

The following shows how to use entrypoint-demoter in a Debian based Dockerfile. The entry.sh would be where your own entry point script/application would be specified.

ARG DEMOTER_VERSION=0.1.0
ARG DEMOTER_ARCH=amd64

ADD https://github.com/itzg/entrypoint-demoter/releases/download/${DEMOTER_VERSION}/entrypoint-demoter_${DEMOTER_VERSION}_linux_${DEMOTER_ARCH}.deb /usr/src

RUN dpkg -i /usr/src/entrypoint-demoter_${DEMOTER_VERSION}_linux_${DEMOTER_ARCH}.deb

ENTRYPOINT ["/usr/local/bin/entrypoint-demoter", "--match", "/data", "/entry.sh"]

The full context of this example can be seen in this Dockerfile

Testing

On a Linux system with Make and Docker installed invoke:

make test

About

Container entry point that can demote uid and gid from environment variables or matching directory

Resources

Readme

License

MIT License

Releases 4

v0.3.0 Latest
Jul 19, 2020
+ 3 releases

Languages

You can’t perform that action at this time.