build: allow users to set the umask easily (#5407)

This adds an easy way for users  to set a UMASK in the container.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
pull/5435/head
James Elliott 2023-05-13 13:19:47 +10:00 committed by GitHub
parent 14084e1ae1
commit e37f19c170
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 7 deletions

View File

@ -18,6 +18,44 @@ The [Docker] container is deployed with the following image names:
* [docker.io/authelia/authelia](https://hub.docker.com/r/authelia/authelia) * [docker.io/authelia/authelia](https://hub.docker.com/r/authelia/authelia)
* [ghcr.io/authelia/authelia](https://github.com/authelia/authelia/pkgs/container/authelia) * [ghcr.io/authelia/authelia](https://github.com/authelia/authelia/pkgs/container/authelia)
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Container
### Environment Variables
Several environment variables apply specifically to the official container. This table documents them. It is important
to note these environment variables are specific to the container and have no effect on the *Authelia* daemon itself and
this section is not meant to document the daemon environment variables.
| Name | Default | Usage |
|:-----:|:-------:|:---------------------------------------------------------------------------------------------:|
| PUID | 0 | If the container is running as UID 0, it will drop privileges to this UID via the entrypoint |
| PGID | 0 | If the container is running as UID 0, it will drop privileges to this GID via the entrypoint |
| UMASK | N/A | If set the container will run with the provided UMASK by running the `umask ${UMASK}` command |
### Permission Context
By default the container runs as the configured [Docker] daemon user. Users can control this behaviour in several ways.
The first and recommended way is instructing the [Docker] daemon to run the *Authelia* container as another user. See
the [docker run] or [Docker Compose file reference documentation](https://docs.docker.com/compose/compose-file/05-services/#user)
for more information. The best part of this method is the process will never have privileged access, and the only
negative is the user must manually configure the filesystem permissions correctly.
The second method is by using the environment variables listed above. The downside to this method is that the entrypoint
itself will run as UID 0 (root). The advantage is the container will automatically set owner and permissions on the
filesystem correctly.
The last method which is beyond our documentation or support is using the
[user namespace](https://docs.docker.com/engine/security/userns-remap/) facility [Docker] provides.
[docker run]: https://docs.docker.com/engine/reference/commandline/run/
## Docker Compose ## Docker Compose
We provide two main [Docker Compose] examples which can be utilized to help test *Authelia* or can be adapted into your We provide two main [Docker Compose] examples which can be utilized to help test *Authelia* or can be adapted into your
@ -27,12 +65,6 @@ existing [Docker Compose].
* [Bundle: lite](#lite) * [Bundle: lite](#lite)
* [Bundle: local](#local) * [Bundle: local](#local)
### Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
### Standalone Example ### Standalone Example
The following examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or The following examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or

View File

@ -1,5 +1,7 @@
#!/bin/sh #!/bin/sh
[[ ! -z ${UMASK} ]] && umask ${UMASK}
if [[ ! -z ${1} ]] && [[ ${1} != "--config" ]]; then if [[ ! -z ${1} ]] && [[ ${1} != "--config" ]]; then
exec "$@" exec "$@"
elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then elif [[ $(id -u) != 0 ]] || [[ $(id -g) != 0 ]]; then