Skip to content

Feature/privileged mode #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Feature/privileged mode #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c6664a4
privileged mode
nbittich Jun 23, 2025
495cbaf
add readme
nbittich Jun 24, 2025
282ebcb
bump mu cli
nbittich Jun 24, 2025
b796dfe
check entrypoint script based on a list of suspicious commands
nbittich Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,7 @@ This section describes the config.json as currently specified. The section is a
- **`scripts.environment`**: JSON object describing the general environment in which the script will run.
- **`scripts.environment.image`**: Docker image of the container in which the script will run. This does not need to be the same as the image of the service.
- **`scripts.environment.interactive`**: When set to true, your Docker container is ran in interactive mode and can thus receive input from the user. Non-interactive scripts are easier to call by external scripts.
- **`scripts.environment.privileged`**: If the script needs to run in privileged mode (sharing the docker sock)
- **`scripts.environment.join_networks`**: For scripts which run in a project, this will make the script container join the default network. Set to `true` to activate this option.
- **`scripts.environment.script`**: The script which will be ran. Make sure this script is executable (`chmod a+x your-script.sh`). If the script can be ran by your container as a script, it's fine. You could use a shebang like `#!/usr/bin/ruby` as the first line of your script to run a ruby script, or you could have a standard shell script which launches something totally different.
- **`scripts.mounts.app`**: For scripts which run in a project, this is the place where the full project folder will be mounted. It allows you to do things like create new files for the project.
Expand Down
62 changes: 54 additions & 8 deletions mu
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,12 +359,7 @@ then
fi
elif [[ "script" == $1 ]]
then
# Check if we are in a project or in a service
if [[ -f ./docker-compose.yml && -f Dockerfile ]]
then
echo "mu script is not supported in folders which have a Dockerfile and a docker-compose.yml"
exit 1
elif [[ -f ./docker-compose.yml ]]
if [[ -f ./docker-compose.yml ]]
then
service=$2
command=$3
Expand Down Expand Up @@ -455,6 +450,43 @@ then
fi
echo -n "."

privileged_mode=`echo "$command_spec" | $interactive_cli jq -r '.environment.privileged // false'`
echo -n "."
privileged=""
if [[ true == "$privileged_mode" ]];
then
entrypoint_script=/tmp/mu/cache/$container_id/scripts/$script_path
echo
read -p "The script you're about to run needs privileged mode. Are you sure? (Y/N) " -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]
then
suspicious_patterns=(
"wget"
)
suspicious_found=false
suspicious_pat=''
for pat in "${suspicious_patterns[@]}"; do
if grep -qi "$pat" "$entrypoint_script"; then
suspicious_found=true
suspicious_pat=$pat
break
fi
done

if $suspicious_found; then
echo
read -p "The script you're about to run has at least one suspicious pattern ('$suspicious_pat'), are you sure(Y/N)? " -n 1 -r
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 2
fi
fi
privileged=" --privileged "
else
exit 0
fi
echo
fi
echo -n "."
network_options=$()
join_networks=`echo "$command_spec" | $interactive_cli jq -r '.environment.join_networks // false'`
echo -n "."
Expand All @@ -470,7 +502,7 @@ then
then
volume_mounts+=(--volume $PWD:$app_mount_point)
fi
docker run ${network_options[@]} ${volume_mounts[@]} $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}"
docker run ${network_options[@]} ${volume_mounts[@]} $privileged $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}"
elif [[ -f "Dockerfile" ]]
then
# A script for developing a microservice
Expand Down Expand Up @@ -608,11 +640,25 @@ then

status_step # 21

privileged_mode=`echo "$command_spec" | $interactive_cli jq -r '.environment.privileged // false'`
privileged=""
if [[ true == "$privileged_mode" ]];
then
echo
read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]
then
privileged=" --privileged "
fi
echo
fi
status_step # 22

echo " DONE"

echo "Executing script $command ${arguments[@]}"

docker run ${docker_volumes[@]} ${docker_environment_variables[@]} $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}"
docker run ${docker_volumes[@]} ${docker_environment_variables[@]} $privileged $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}"
exit 0
else
echo "Did not recognise location"
Expand Down