From 618ff781ebfdd59f19c33784c664a207731f98b4 Mon Sep 17 00:00:00 2001 From: Archi Date: Sun, 17 Oct 2021 16:19:07 +0200 Subject: [PATCH] Use ASF user account inside docker --- ArchiSteamFarm/Core/OS.cs | 7 ----- ArchiSteamFarm/Program.cs | 2 +- .../generic-netf/ArchiSteamFarm-Service.sh | 27 ++++++++++++++++--- .../overlay/generic-netf/ArchiSteamFarm.sh | 27 ++++++++++++++++--- .../overlay/generic/ArchiSteamFarm-Service.sh | 27 ++++++++++++++++--- .../overlay/generic/ArchiSteamFarm.sh | 27 ++++++++++++++++--- .../overlay/linux/ArchiSteamFarm-Service.sh | 27 ++++++++++++++++--- Dockerfile | 6 +++++ Dockerfile.Service | 6 +++++ 9 files changed, 133 insertions(+), 23 deletions(-) diff --git a/ArchiSteamFarm/Core/OS.cs b/ArchiSteamFarm/Core/OS.cs index 4588fa4c5..289d315da 100644 --- a/ArchiSteamFarm/Core/OS.cs +++ b/ArchiSteamFarm/Core/OS.cs @@ -166,13 +166,6 @@ namespace ArchiSteamFarm.Core { return false; } - internal static bool IsRunningInDocker() => -#if ASF_VARIANT_DOCKER - true; -#else - Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER") == "true"; -#endif - internal static async Task RegisterProcess() { if (SingleInstance != null) { return false; diff --git a/ArchiSteamFarm/Program.cs b/ArchiSteamFarm/Program.cs index bd22e6545..995239f91 100644 --- a/ArchiSteamFarm/Program.cs +++ b/ArchiSteamFarm/Program.cs @@ -220,7 +220,7 @@ namespace ArchiSteamFarm { return false; } - if (!OS.IsRunningInDocker() && OS.IsRunningAsRoot()) { + if (OS.IsRunningAsRoot()) { ASF.ArchiLogger.LogGenericError(Strings.WarningRunningAsRoot); await Task.Delay(SharedInfo.InformationDelay).ConfigureAwait(false); diff --git a/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm-Service.sh b/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm-Service.sh index 6a6f2d233..effc2ca3e 100755 --- a/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm-Service.sh +++ b/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm-Service.sh @@ -63,6 +63,15 @@ for ARG in "$@"; do fi done +BINARY_PREFIX="" + +if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then + # Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own + chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR" + + BINARY_PREFIX="su ${ASF_USER} -c" +fi + CONFIG_PATH="$(pwd)/${CONFIG_PATH}" # Kill underlying ASF process on shell process exit @@ -78,11 +87,23 @@ mono --version while :; do if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then # We're running ASF in headless mode so we don't need STDIN - mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call - wait $! # This will forward mono error code, set -e will abort the script if it's non-zero + # Start ASF in the background, trap will work properly due to non-blocking call + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" & + else + mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & + fi + + # This will forward mono error code, set -e will abort the script if it's non-zero + wait $! else # We're running ASF in non-headless mode, so we need STDIN to be operative - mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit + # Start ASF in the foreground, trap won't work until process exit + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" + else + mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS + fi fi chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update diff --git a/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm.sh b/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm.sh index 044576853..ae4738b6d 100755 --- a/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm.sh +++ b/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm.sh @@ -63,6 +63,15 @@ for ARG in "$@"; do fi done +BINARY_PREFIX="" + +if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then + # Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own + chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR" + + BINARY_PREFIX="su ${ASF_USER} -c" +fi + CONFIG_PATH="$(pwd)/${CONFIG_PATH}" # Kill underlying ASF process on shell process exit @@ -77,11 +86,23 @@ mono --version if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then # We're running ASF in headless mode so we don't need STDIN - mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call - wait $! # This will forward mono error code, set -e will abort the script if it's non-zero + # Start ASF in the background, trap will work properly due to non-blocking call + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" & + else + mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS & + fi + + # This will forward mono error code, set -e will abort the script if it's non-zero + wait $! else # We're running ASF in non-headless mode, so we need STDIN to be operative - mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap won't work until process exit + # Start ASF in the foreground, trap won't work until process exit + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "mono ${MONO_ARGS-} $BINARY $BINARY_ARGS" + else + mono ${MONO_ARGS-} "$BINARY" $BINARY_ARGS + fi fi chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update diff --git a/ArchiSteamFarm/overlay/generic/ArchiSteamFarm-Service.sh b/ArchiSteamFarm/overlay/generic/ArchiSteamFarm-Service.sh index a9d9bd48d..36db683aa 100755 --- a/ArchiSteamFarm/overlay/generic/ArchiSteamFarm-Service.sh +++ b/ArchiSteamFarm/overlay/generic/ArchiSteamFarm-Service.sh @@ -63,6 +63,15 @@ for ARG in "$@"; do fi done +BINARY_PREFIX="" + +if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then + # Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own + chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR" + + BINARY_PREFIX="su ${ASF_USER} -c" +fi + CONFIG_PATH="$(pwd)/${CONFIG_PATH}" # Kill underlying ASF process on shell process exit @@ -78,11 +87,23 @@ dotnet --info while :; do if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then # We're running ASF in headless mode so we don't need STDIN - dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call - wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero + # Start ASF in the background, trap will work properly due to non-blocking call + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" & + else + dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & + fi + + # This will forward dotnet error code, set -e will abort the script if it's non-zero + wait $! else # We're running ASF in non-headless mode, so we need STDIN to be operative - dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit + # Start ASF in the foreground, trap won't work until process exit + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" + else + dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS + fi fi chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update diff --git a/ArchiSteamFarm/overlay/generic/ArchiSteamFarm.sh b/ArchiSteamFarm/overlay/generic/ArchiSteamFarm.sh index 09d88607e..c4e82f76a 100755 --- a/ArchiSteamFarm/overlay/generic/ArchiSteamFarm.sh +++ b/ArchiSteamFarm/overlay/generic/ArchiSteamFarm.sh @@ -63,6 +63,15 @@ for ARG in "$@"; do fi done +BINARY_PREFIX="" + +if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then + # Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own + chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR" + + BINARY_PREFIX="su ${ASF_USER} -c" +fi + CONFIG_PATH="$(pwd)/${CONFIG_PATH}" # Kill underlying ASF process on shell process exit @@ -77,11 +86,23 @@ dotnet --info if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then # We're running ASF in headless mode so we don't need STDIN - dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call - wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero + # Start ASF in the background, trap will work properly due to non-blocking call + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" & + else + dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS & + fi + + # This will forward dotnet error code, set -e will abort the script if it's non-zero + wait $! else # We're running ASF in non-headless mode, so we need STDIN to be operative - dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap won't work until process exit + # Start ASF in the foreground, trap won't work until process exit + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "dotnet ${DOTNET_ARGS-} $BINARY $BINARY_ARGS" + else + dotnet ${DOTNET_ARGS-} "$BINARY" $BINARY_ARGS + fi fi chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update diff --git a/ArchiSteamFarm/overlay/linux/ArchiSteamFarm-Service.sh b/ArchiSteamFarm/overlay/linux/ArchiSteamFarm-Service.sh index cbbc09899..1cefc3f03 100755 --- a/ArchiSteamFarm/overlay/linux/ArchiSteamFarm-Service.sh +++ b/ArchiSteamFarm/overlay/linux/ArchiSteamFarm-Service.sh @@ -63,6 +63,15 @@ for ARG in "$@"; do fi done +BINARY_PREFIX="" + +if [ -n "${ASF_USER-}" ] && [ "$(id -u)" -eq 0 ] && id -u "$ASF_USER" >/dev/null 2>&1; then + # Fix permissions first to ensure ASF has read/write access to the directory specified by --path and its own + chown -hR "${ASF_USER}:${ASF_USER}" . "$SCRIPT_DIR" + + BINARY_PREFIX="su ${ASF_USER} -c" +fi + CONFIG_PATH="$(pwd)/${CONFIG_PATH}" # Kill underlying ASF process on shell process exit @@ -71,11 +80,23 @@ trap "trap - TERM && kill -- -$$" INT TERM while :; do if [ -f "$CONFIG_PATH" ] && grep -Eq '"Headless":\s+?true' "$CONFIG_PATH"; then # We're running ASF in headless mode so we don't need STDIN - "$BINARY" $BINARY_ARGS & # Start ASF in the background, trap will work properly due to non-blocking call - wait $! # This will forward dotnet error code, set -e will abort the script if it's non-zero + # Start ASF in the background, trap will work properly due to non-blocking call + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "$BINARY $BINARY_ARGS" & + else + "$BINARY" $BINARY_ARGS & + fi + + # This will forward dotnet error code, set -e will abort the script if it's non-zero + wait $! else # We're running ASF in non-headless mode, so we need STDIN to be operative - "$BINARY" $BINARY_ARGS # Start ASF in the foreground, trap sadly won't work until process exit + # Start ASF in the foreground, trap won't work until process exit + if [ -n "$BINARY_PREFIX" ]; then + $BINARY_PREFIX "$BINARY $BINARY_ARGS" + else + "$BINARY" $BINARY_ARGS + fi fi chmod +x "$SCRIPT_PATH" # If ASF exited by itself, we need to ensure that our script is still set to +x after auto-update diff --git a/Dockerfile b/Dockerfile index 1cb18c43d..06969aa76 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,6 +46,7 @@ RUN dotnet --info && \ if [ -d "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}" ]; then mkdir -p "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; cp -pR "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}/"* "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; fi FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/aspnet:5.0${IMAGESUFFIX} AS runtime +ENV ASF_USER asf ENV ASPNETCORE_URLS= ENV DOTNET_CLI_TELEMETRY_OPTOUT 1 ENV DOTNET_NOLOGO 1 @@ -63,6 +64,11 @@ LABEL maintainer="JustArchi " \ EXPOSE 1242 WORKDIR /app COPY --from=build-dotnet /app/out/result . + +RUN groupadd -r -g 1000 asf && \ + useradd -r -d /app -g 1000 -u 1000 asf && \ + chown -hR asf:asf /app + VOLUME ["/app/config", "/app/logs"] HEALTHCHECK CMD ["pidof", "-q", "dotnet"] ENTRYPOINT ["sh", "ArchiSteamFarm.sh", "--no-restart", "--process-required", "--system-required"] diff --git a/Dockerfile.Service b/Dockerfile.Service index 9f15f22fd..040fdb468 100644 --- a/Dockerfile.Service +++ b/Dockerfile.Service @@ -47,6 +47,7 @@ RUN dotnet --info && \ if [ -d "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}" ]; then mkdir -p "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; cp -pR "out/${STEAM_TOKEN_DUMPER_NAME}/${NET_CORE_VERSION}/"* "out/result/plugins/${STEAM_TOKEN_DUMPER_NAME}"; fi FROM --platform=$TARGETPLATFORM mcr.microsoft.com/dotnet/runtime-deps:5.0${IMAGESUFFIX} AS runtime +ENV ASF_USER asf ENV ASPNETCORE_URLS= ENV DOTNET_CLI_TELEMETRY_OPTOUT 1 ENV DOTNET_NOLOGO 1 @@ -64,6 +65,11 @@ LABEL maintainer="JustArchi " \ EXPOSE 1242 WORKDIR /app COPY --from=build-dotnet /app/out/result . + +RUN groupadd -r -g 1000 asf && \ + useradd -r -d /app -g 1000 -u 1000 asf && \ + chown -hR asf:asf /app + VOLUME ["/app/config", "/app/logs"] HEALTHCHECK CMD ["pidof", "-q", "ArchiSteamFarm"] ENTRYPOINT ["sh", "ArchiSteamFarm-Service.sh", "--no-restart", "--process-required", "--system-required"]