Merge pull request #56 from linuxserver/3.21

rebase to 3.21, add support for non-root and read-only

Author: aptalca

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
@@ -13,8 +13,6 @@ RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
     build-base \
-    cargo \
-    libffi-dev \
     openldap-dev \
     python3-dev && \
   echo "**** install runtime packages ****" && \
@@ -29,7 +27,7 @@ RUN \
   pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     cryptography \
     python-ldap=="${LDAP_VERSION}" && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
@@ -38,8 +36,7 @@ RUN \
     build-dependencies && \
   rm -rf \
     /tmp/* \
-    $HOME/.cache \
-    $HOME/.cargo
+    $HOME/.cache
 
 # copy local files
 COPY root/ /

Dockerfile.aarch64

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
@@ -13,8 +13,6 @@ RUN \
   echo "**** install build packages ****" && \
   apk add --no-cache --virtual=build-dependencies \
     build-base \
-    cargo \
-    libffi-dev \
     openldap-dev \
     python3-dev && \
   echo "**** install runtime packages ****" && \
@@ -29,7 +27,7 @@ RUN \
   pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     cryptography \
     python-ldap=="${LDAP_VERSION}" && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
@@ -38,8 +36,7 @@ RUN \
     build-dependencies && \
   rm -rf \
     /tmp/* \
-    $HOME/.cache \
-    $HOME/.cargo
+    $HOME/.cache
 
 # copy local files
 COPY root/ /

README.md

@@ -64,6 +64,14 @@ The architectures supported by this image are:
 - Unlike the upstream project, this image encodes the cookie information with fernet, using a randomly generated key during container creation (or optionally user defined).
 - Also unlike the upstream project, this image serves the login page at `/ldaplogin` (as well as `/login`) to prevent clashes with reverse proxied apps that may also use `/login` for their internal auth.
 
+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -123,6 +131,8 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e FERNETKEY=` | Optionally define a custom valid fernet key (only needed if container is frequently recreated, or if using multi-node setups, invalidating previous authentications) |
 | `-e CERTFILE=` | Optionally point this to a certificate file to enable HTTP over SSL (HTTPS) for the ldap auth daemon |
 | `-e KEYFILE=` | Optionally point this to the private key file, matching the certificate file referred to in CERTFILE |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -286,6 +296,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **22.12.24:** - Rebase to Alpine 3.21. Add support for read-only and non-root.
 * **30.06.24:** - Rebase to Alpine 3.20.
 * **23.12.23:** - Rebase to Alpine 3.19.
 * **20.06.23:** - Sync upstream changes, including the ability to disable referrals with `X-Ldap-DisableReferrals`.

readme-vars.yml

@@ -22,6 +22,8 @@ opt_param_env_vars:
   - {env_var: "FERNETKEY", env_value: "", desc: "Optionally define a custom valid fernet key (only needed if container is frequently recreated, or if using multi-node setups, invalidating previous authentications)"}
   - {env_var: "CERTFILE", env_value: "", desc: "Optionally point this to a certificate file to enable HTTP over SSL (HTTPS) for the ldap auth daemon"}
   - {env_var: "KEYFILE", env_value: "", desc: "Optionally point this to the private key file, matching the certificate file referred to in CERTFILE"}
+readonly_supported: true
+nonroot_supported: true
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -76,6 +78,7 @@ init_diagram: |
   "ldap-auth:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "22.12.24:", desc: "Rebase to Alpine 3.21. Add support for read-only and non-root."}
   - {date: "30.06.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "23.12.23:", desc: "Rebase to Alpine 3.19."}
   - {date: "20.06.23:", desc: "Sync upstream changes, including the ability to disable referrals with `X-Ldap-DisableReferrals`."}

root/app/ldap-backend-app.py

@@ -137,7 +137,7 @@ def do_POST(self):
 
             self.send_response(302)
 
-            cipher_suite = Fernet(REPLACEWITHFERNETKEY)
+            cipher_suite = Fernet(os.getenv("FERNET_KEY"))
             enc = cipher_suite.encrypt(ensure_bytes(user + ':' + passwd))
             enc = enc.decode()
             self.send_header('Set-Cookie', 'nginxauth=' + enc + '; httponly')

root/app/nginx-ldap-auth-daemon.py

@@ -85,7 +85,7 @@ def do_GET(self):
         ctx['action'] = 'decoding credentials'
 
         try:
-            cipher_suite = Fernet(REPLACEWITHFERNETKEY)
+            cipher_suite = Fernet(os.getenv("FERNET_KEY"))
             self.log_message('Trying to dechipher credentials...')
             auth_decoded = auth_header[6:].encode()
             auth_decoded = cipher_suite.decrypt(auth_decoded)

root/etc/s6-overlay/s6-rc.d/init-ldap-config/run

@@ -2,7 +2,7 @@
 # shellcheck shell=bash
 
 # generate fernet key for ldap if it doesn't exist
-if grep -q 'REPLACEWITHFERNETKEY' /app/ldap-backend-app.py; then
+if [[ ! -f "/run/.fernetkey" ]]; then
     if [[ -z "${FERNETKEY}" ]]; then
         KEY=$(python3 /app/fernet-key.py)
         echo "generated fernet key"
@@ -14,7 +14,5 @@ if grep -q 'REPLACEWITHFERNETKEY' /app/ldap-backend-app.py; then
         KEY="b'${FERNETKEY}'"
         echo "using FERNETKEY from env variable"
     fi
-
-    sed -i "s/REPLACEWITHFERNETKEY/${KEY}/" /app/ldap-backend-app.py
-    sed -i "s/REPLACEWITHFERNETKEY/${KEY}/" /app/nginx-ldap-auth-daemon.py
+    echo "${KEY}" > /run/.fernetkey
 fi

root/etc/s6-overlay/s6-rc.d/svc-ldap-app/run

@@ -1,7 +1,16 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9000" \
-    s6-setuidgid abc python3 /app/ldap-backend-app.py \
-    --host 0.0.0.0 --port 9000
+export FERNET_KEY=$(cat /run/.fernetkey)
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9000" \
+            s6-setuidgid abc python3 /app/ldap-backend-app.py \
+                --host 0.0.0.0 --port 9000
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9000" \
+            python3 /app/ldap-backend-app.py \
+                --host 0.0.0.0 --port 9000
+fi

root/etc/s6-overlay/s6-rc.d/svc-ldap-daemon/run

@@ -1,7 +1,16 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8888" \
-    s6-setuidgid abc python3 /app/nginx-ldap-auth-daemon.py \
-    --host 0.0.0.0 --port 8888
+export FERNET_KEY=$(cat /run/.fernetkey)
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8888" \
+            s6-setuidgid abc python3 /app/nginx-ldap-auth-daemon.py \
+                --host 0.0.0.0 --port 8888
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8888" \
+            python3 /app/nginx-ldap-auth-daemon.py \
+                --host 0.0.0.0 --port 8888
+fi