[Experimental] Move the capability setting back to bash_functions from the pihole-FTL service
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
parent
7ac0e8f0e3
commit
776bac7b90
|
@ -1,38 +1,5 @@
|
|||
#!/command/with-contenv bash
|
||||
|
||||
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
|
||||
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
||||
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
||||
|
||||
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
||||
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
||||
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
||||
|
||||
if [[ ${CAP_STR} ]]; then
|
||||
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
||||
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
|
||||
|
||||
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
|
||||
# DHCP is requested but NET_ADMIN is not available.
|
||||
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
|
||||
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
|
||||
DHCP_ACTIVE='false'
|
||||
change_setting "DHCP_ACTIVE" "false"
|
||||
fi
|
||||
|
||||
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
|
||||
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
|
||||
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Unable to set capabilities for pihole-FTL."
|
||||
echo " Please ensure that the container has the required capabilities."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
s6-echo "Starting pihole-FTL ($FTL_CMD) as ${DNSMASQ_USER}"
|
||||
# Remove possible leftovers from previous pihole-FTL processes
|
||||
rm -f /dev/shm/FTL-* 2> /dev/null
|
||||
|
|
|
@ -30,6 +30,42 @@ changeFTLsetting() {
|
|||
addOrEditKeyValPair "${FTLconf}" "${1}" "${2}"
|
||||
}
|
||||
|
||||
fix_capabilities() {
|
||||
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
|
||||
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
||||
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
||||
|
||||
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
||||
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
||||
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
||||
|
||||
if [[ ${CAP_STR} ]]; then
|
||||
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
||||
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
|
||||
|
||||
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
|
||||
# DHCP is requested but NET_ADMIN is not available.
|
||||
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
|
||||
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
|
||||
DHCP_ACTIVE='false'
|
||||
change_setting "DHCP_ACTIVE" "false"
|
||||
fi
|
||||
|
||||
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
|
||||
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
|
||||
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Unable to set capabilities for pihole-FTL."
|
||||
echo " Please ensure that the container has the required capabilities."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
ensure_basic_configuration() {
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ echo " ::: Starting docker specific checks & setup for docker pihole/pihole"
|
|||
|
||||
# Initial checks
|
||||
# ===========================
|
||||
fix_capabilities
|
||||
validate_env || exit 1
|
||||
ensure_basic_configuration
|
||||
|
||||
|
|
Loading…
Reference in New Issue