diff options
author | Jakob Borg <jakob@kastelo.net> | 2022-09-26 13:39:41 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-26 13:39:41 +0200 |
commit | 361f7ae56435806c373d02d179c7a60caf845ddf (patch) | |
tree | 8c738f70266fb58296716b0f25399b0433623e7e /script | |
parent | 1cd2f5a91ff853a5136b1110dd05efcf0065a576 (diff) | |
download | syncthing-361f7ae56435806c373d02d179c7a60caf845ddf.tar.gz syncthing-361f7ae56435806c373d02d179c7a60caf845ddf.zip |
docker: Add env var to control capabilities (#8552)
As it's not simple to run a container under Docker/Kubernetes as
non-root but with additional capabilities, add an internal hack.
Diffstat (limited to 'script')
-rwxr-xr-x | script/docker-entrypoint.sh | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/script/docker-entrypoint.sh b/script/docker-entrypoint.sh index 071092a09..f56817d1b 100755 --- a/script/docker-entrypoint.sh +++ b/script/docker-entrypoint.sh @@ -3,6 +3,17 @@ set -eu if [ "$(id -u)" = '0' ]; then + binary="$1" + if [ "$PCAP" == "" ] ; then + # If Syncthing should have no extra capabilities, make sure to remove them + # from the binary. This will fail with an error if there are no + # capabilities to remove, hence the || true etc. + setcap -r "$binary" 2>/dev/null || true + else + # Set capabilities on the Syncthing binary before launching it. + setcap "$PCAP" "$binary" + fi + chown "${PUID}:${PGID}" "${HOME}" \ && exec su-exec "${PUID}:${PGID}" \ env HOME="$HOME" "$@" |