Skip to content

Commit

Permalink
Optional full rootless mode
Browse files Browse the repository at this point in the history
Introduced environment variable DISABLE_SET_PERMS to provide an optional full rootless mode
  • Loading branch information
madnuttah committed Jun 8, 2024
1 parent 5ad6b56 commit f0405b6
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 24 deletions.
14 changes: 12 additions & 2 deletions doc/DETAILS.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
- [Directory Structure](#Directory-Structure)
- [Available Commands](#Available-Commands)
- [Recommended Environment Variables](#Recommended-Environment-Variables)
- [Optional Environment Variables](#Optional-Environment-Variables)
- [Networking](#Networking)
- [Usage](#Usage)
- [CacheDB (Redis)](#cachedb-redis)
Expand Down Expand Up @@ -208,11 +209,20 @@ false sh
| `UNBOUND_UID` | `1000` | `INT` | Your desired user id for user `_unbound` |
| `UNBOUND_GID` | `1000` | `INT` | Your desired group id for group `_unbound` |

### Optional Environment Variables

| Variable | Default | Value | Description |
| -------- | ------- | ----- | ---------- |
| `DISABLE_SET_PERMS` | `false` | `BOOL` | Set this to `true` for complete rootless mode and define user `_unbound` |

> [!CAUTION]
> Setting `DISABLE_SET_PERMS` to `true` *without* defining `user: _unbound` or `--user _unbound` will run the container under root!
### Networking

| Port | Description |
| --------- | ------------------------ |
| `5335` | Listening Port (TCP/UDP) |
| `5335` | Listening Port (tcp/udp) |

### Usage

Expand Down Expand Up @@ -410,7 +420,7 @@ unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53
unbound[0:1] info: generate keytag query _ta-4f66. NULL IN
```

**You'll find a redacted version of the Docker compose stack I'm currently using for comparison purposes [here](https://raw.githubusercontent.com/madnuttah/unbound-docker/main/doc/examples/docker-compose-madnuttah.yaml).**
**You'll find a redacted version of the Docker compose stack we`re currently using for comparison purposes [here](https://raw.githubusercontent.com/madnuttah/unbound-docker/main/doc/examples/docker-compose-madnuttah.yaml).**

# Documentation

Expand Down
50 changes: 28 additions & 22 deletions unbound/root/entrypoint
Original file line number Diff line number Diff line change
Expand Up @@ -2,38 +2,44 @@

BLD='\033[1;97m'
CLR='\033[1;92m'
NRM='\033[0m'

SET_PERMS=0
STD='\033[0m'

DISABLE_SET_PERMS=${DISABLE_SET_PERMS:-"false"}
UNBOUND_UID=${UNBOUND_UID:-"1000"}
UNBOUND_GID=${UNBOUND_GID:-"1000"}

if [ "$(id -u _unbound)" -ne "$UNBOUND_UID" ]; then
usermod -o -u "$UNBOUND_UID" _unbound
SET_PERMS=1
fi

if [ "$(id -g _unbound)" -ne "$UNBOUND_GID" ]; then
groupmod -o -g "$UNBOUND_GID" _unbound
SET_PERMS=1
fi

if [ "$SET_PERMS" -eq 1 ]; then
chown -R "$UNBOUND_UID":"$UNBOUND_GID" /usr/local/unbound/ >/dev/null 2>&1
fi

function info {
echo -e "╔═════════════════════════════════════════════════════╗
β•‘ β•‘
β•‘ MΞ›DИVTTΞ›H Unbound Docker β•‘
β•‘ ${BLD}MΞ›DИVTTΞ›H Unbound Docker${STD} β•‘
β•‘ β•‘
β•‘ https://github.com/madnuttah/unbound-docker β•‘
β•‘ https://hub.docker.com/r/madnuttah/unbound β•‘
β•‘ β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
UNBOUND_UID: ${CLR}$(id -u _unbound)${NRM}
UNBOUND_GID: ${CLR}$(id -g _unbound)${NRM}
UNBOUND_UID: ${CLR}$(id -u _unbound)${STD}
UNBOUND_GID: ${CLR}$(id -g _unbound)${STD}
"

exec su-exec "$UNBOUND_UID":"$UNBOUND_GID" /usr/local/unbound/sbin/unbound.sh
}

BOOL=$DISABLE_SET_PERMS
if $BOOL; then
info
exec /usr/local/unbound/sbin/unbound.sh
else
SET_PERMS=0
if [ "$(id -u _unbound)" -ne "$UNBOUND_UID" ]; then
usermod -o -u "$UNBOUND_UID" _unbound
SET_PERMS=1
fi
if [ "$(id -g _unbound)" -ne "$UNBOUND_GID" ]; then
groupmod -o -g "$UNBOUND_GID" _unbound
SET_PERMS=1
fi
if [ "$SET_PERMS" -eq 1 ]; then
chown -R "$UNBOUND_UID":"$UNBOUND_GID" /usr/local/unbound/ >/dev/null 2>&1
fi
info
exec su-exec "$UNBOUND_UID":"$UNBOUND_GID" /usr/local/unbound/sbin/unbound.sh
fi

0 comments on commit f0405b6

Please sign in to comment.