usulnet/docker-entrypoint.sh at main · fr4nsys/usulnet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/sh
set -e

# =============================================================================
# usulnet Docker Entrypoint
# Auto-detects Docker socket GID and drops privileges to usulnet user
# =============================================================================

USULNET_USER="usulnet"

# ---------------------------------------------------------------------------
# Auto-detect Docker socket path (unless DOCKER_SOCKET is already set)
# ---------------------------------------------------------------------------
detect_docker_socket() {
    # 1. Standard path
    if [ -S "/var/run/docker.sock" ]; then
        echo "/var/run/docker.sock"; return
    fi

    # 2. XDG_RUNTIME_DIR (rootless Docker)
    if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
        echo "$XDG_RUNTIME_DIR/docker.sock"; return
    fi

    # 3. /run/user/<UID>/docker.sock (rootless Docker)
    _uid=$(id -u)
    if [ -S "/run/user/${_uid}/docker.sock" ]; then
        echo "/run/user/${_uid}/docker.sock"; return
    fi

    # 4. docker context inspect (if docker CLI is available)
    if command -v docker >/dev/null 2>&1; then
        _ctx_host=$(docker context inspect 2>/dev/null \
            | sed -n 's/.*"Host"[[:space:]]*:[[:space:]]*"unix:\/\/\(.*\)".*/\1/p' \
            | head -n1)
        if [ -n "$_ctx_host" ] && [ -S "$_ctx_host" ]; then
            echo "$_ctx_host"; return
        fi
    fi

    # 5. Fallback
    echo "/var/run/docker.sock"
}

if [ -n "$DOCKER_SOCKET" ]; then
    # Explicitly set by user — use as-is
    :
elif [ -n "$DOCKER_HOST" ] && echo "$DOCKER_HOST" | grep -q '^unix://'; then
    # Derive from standard DOCKER_HOST env var
    DOCKER_SOCKET=$(echo "$DOCKER_HOST" | sed 's|^unix://||')
else
    DOCKER_SOCKET=$(detect_docker_socket)
fi

export DOCKER_SOCKET

# If running as root, configure Docker socket access and drop to usulnet
if [ "$(id -u)" = "0" ]; then
    # Auto-detect Docker socket GID and grant access
    if [ -S "$DOCKER_SOCKET" ]; then
        SOCK_GID=$(stat -c '%g' "$DOCKER_SOCKET")

        # Check if a group with this GID already exists
        EXISTING_GROUP=$(getent group "$SOCK_GID" | cut -d: -f1 || true)

        if [ -z "$EXISTING_GROUP" ]; then
            # Create docker group with the socket's GID
            addgroup -g "$SOCK_GID" docker 2>/dev/null || true
            EXISTING_GROUP="docker"
        fi

        # Add usulnet user to that group
        addgroup "$USULNET_USER" "$EXISTING_GROUP" 2>/dev/null || true

        echo "Docker socket GID=$SOCK_GID, added $USULNET_USER to group $EXISTING_GROUP"
    else
        echo "WARNING: Docker socket not found at $DOCKER_SOCKET"
        echo "  Searched: /var/run/docker.sock, \$XDG_RUNTIME_DIR/docker.sock, /run/user/<UID>/docker.sock, docker context"
        echo "  Set DOCKER_SOCKET or USULNET_DOCKER_SOCKET to specify the path manually."
    fi

    # Ensure data and shared volume directories are owned by usulnet
    chown -R "$USULNET_USER:$USULNET_USER" /app/data 2>/dev/null || true
    # Nginx shared volumes (config, certs, ACME webroot)
    mkdir -p /etc/nginx/conf.d/usulnet /etc/usulnet/certs /var/lib/usulnet/acme/.well-known/acme-challenge 2>/dev/null || true
    chown -R "$USULNET_USER:$USULNET_USER" /etc/nginx/conf.d/usulnet /etc/usulnet/certs /var/lib/usulnet/acme 2>/dev/null || true

    # Drop privileges and exec the command
    exec su-exec "$USULNET_USER" "$@"
fi

# Already running as non-root, just exec
exec "$@"