[Experimental] Move the capability setting back to bash_functions from the pihole-FTL service
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
parent
7ac0e8f0e3
commit
776bac7b90
|
@ -1,38 +1,5 @@
|
||||||
#!/command/with-contenv bash
|
#!/command/with-contenv bash
|
||||||
|
|
||||||
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
|
|
||||||
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
|
||||||
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
|
||||||
|
|
||||||
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
|
||||||
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
|
||||||
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
|
||||||
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
|
||||||
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
|
||||||
|
|
||||||
if [[ ${CAP_STR} ]]; then
|
|
||||||
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
|
||||||
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
|
|
||||||
|
|
||||||
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
|
|
||||||
# DHCP is requested but NET_ADMIN is not available.
|
|
||||||
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
|
|
||||||
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
|
|
||||||
DHCP_ACTIVE='false'
|
|
||||||
change_setting "DHCP_ACTIVE" "false"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
|
|
||||||
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
|
|
||||||
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "WARNING: Unable to set capabilities for pihole-FTL."
|
|
||||||
echo " Please ensure that the container has the required capabilities."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
s6-echo "Starting pihole-FTL ($FTL_CMD) as ${DNSMASQ_USER}"
|
s6-echo "Starting pihole-FTL ($FTL_CMD) as ${DNSMASQ_USER}"
|
||||||
# Remove possible leftovers from previous pihole-FTL processes
|
# Remove possible leftovers from previous pihole-FTL processes
|
||||||
rm -f /dev/shm/FTL-* 2> /dev/null
|
rm -f /dev/shm/FTL-* 2> /dev/null
|
||||||
|
|
|
@ -30,6 +30,42 @@ changeFTLsetting() {
|
||||||
addOrEditKeyValPair "${FTLconf}" "${1}" "${2}"
|
addOrEditKeyValPair "${FTLconf}" "${1}" "${2}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fix_capabilities() {
|
||||||
|
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
|
||||||
|
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
||||||
|
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
||||||
|
|
||||||
|
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
||||||
|
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||||
|
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
||||||
|
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||||
|
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
||||||
|
|
||||||
|
if [[ ${CAP_STR} ]]; then
|
||||||
|
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
||||||
|
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
|
||||||
|
|
||||||
|
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
|
||||||
|
# DHCP is requested but NET_ADMIN is not available.
|
||||||
|
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
|
||||||
|
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
|
||||||
|
DHCP_ACTIVE='false'
|
||||||
|
change_setting "DHCP_ACTIVE" "false"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
|
||||||
|
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
|
||||||
|
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "WARNING: Unable to set capabilities for pihole-FTL."
|
||||||
|
echo " Please ensure that the container has the required capabilities."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
ensure_basic_configuration() {
|
ensure_basic_configuration() {
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,7 @@ echo " ::: Starting docker specific checks & setup for docker pihole/pihole"
|
||||||
|
|
||||||
# Initial checks
|
# Initial checks
|
||||||
# ===========================
|
# ===========================
|
||||||
|
fix_capabilities
|
||||||
validate_env || exit 1
|
validate_env || exit 1
|
||||||
ensure_basic_configuration
|
ensure_basic_configuration
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue