Overhaul rootless implementation (#364, #389, #393)

wolveix · wolveix · commit d55afb973309 · 2025-01-24T12:37:08.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,8 @@
 FROM steamcmd/steamcmd:ubuntu-22
 
+ARG GID=1000
+ARG UID=1000
+
 ENV AUTOSAVENUM="5" \
     DEBIAN_FRONTEND="noninteractive" \
     DEBUG="false" \
@@ -25,7 +28,8 @@ RUN set -x \
  && apt-get update \
  && apt-get install -y gosu xdg-user-dirs curl jq tzdata --no-install-recommends \
  && rm -rf /var/lib/apt/lists/* \
- && useradd -ms /bin/bash steam \
+ && groupadd -g ${GID} steam \
+ && useradd -u ${UID} -g ${GID} -ms /bin/bash steam \
  && gosu nobody true
 
 RUN mkdir -p /config \
diff --git a/README.md b/README.md
@@ -245,20 +245,65 @@ really get the best out of multiplayer:
 - Right-click each of the 3 config files (Engine.ini, Game.ini, Scalability.ini)
 - Go to Properties > tick Read-only under the attributes
 
-## Rootless
+## Running as Non-Root User
 
-If you'd prefer to run the container as a non-root user, just pass your preferred user to the container using Docker's
-own user implementation (e.g. `--user 1000:1000`). Do note that the container will print a warning for this, and this
-may cause permissions-related issues.
+By default, the container runs with root privileges but executes Satisfactory under `1000:1000`. If your host's user and
+group IDs are `1000:1000`, you can run the entire container as non-root using Docker's `--user` directive. For different
+user/group IDs, you'll need to clone and rebuild the image with your specific UID/GID:
+
+### Building Non-Root Image
+
+1. Clone the repository:
+
+```shell
+git clone https://github.com/wolveix/satisfactory-server.git
+```
+
+2. Create a docker-compose.yml file with your desired UID/GID as build args (note that the `PUID` and `PGID` environment
+   variables will no longer be needed):
+
+```yaml
+services:
+  satisfactory-server:
+    container_name: 'satisfactory-server'
+    hostname: 'satisfactory-server'
+    build:
+      context: .
+      args:
+        UID: 1001  # Your desired UID
+        GID: 1001  # Your desired GID
+    user: "1001:1001"  # Must match UID:GID above
+    ports:
+      - '7777:7777/udp'
+      - '7777:7777/tcp'
+    volumes:
+      - './satisfactory-server:/config'
+    environment:
+      - MAXPLAYERS=4
+      - STEAMBETA=false
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 8G
+        reservations:
+          memory: 4G
+```
+
+3. Build and run the container:
+
+```shell
+docker compose up -d
+```
 
 ## Known Issues
 
-- The container is run as `root`. This is pretty common for Docker images, but is bad practice for security reasons.
-  This change was made to address [permissions issues](https://github.com/wolveix/satisfactory-server/issues/44)
+- The container is run as `root` by default. You can provide your own user and group using Docker's `--user` directive;
+  however, if your proposed user and group aren't `1000:1000`, you'll need to rebuild the image (as outlined above).
 - The server log will show various errors; most of which can be safely ignored. As long as the container continues to
   run and your log looks similar to the example log, the server should be functioning just
   fine: [example log](https://github.com/wolveix/satisfactory-server/blob/main/server.log)
 
 ## Star History
 
-[![Star History Chart](https://api.star-history.com/svg?repos=wolveix/satisfactory-server&type=Date)](https://star-history.com/#wolveix/satisfactory-server&Date)
+[![Star History Chart](https://api.star-history.com/svg?repos=wolveix/satisfactory-server&type=Date)](https://star-history.com/#wolveix/satisfactory-server&Date)
diff --git a/init.sh b/init.sh
@@ -4,13 +4,17 @@ set -e
 
 printf "===== Satisfactory Server %s =====\\nhttps://github.com/wolveix/satisfactory-server\\n\\n" "$VERSION"
 
-CURRENTUID=$(id -u)
-HOME="/home/steam"
 MSGERROR="\033[0;31mERROR:\033[0m"
 MSGWARNING="\033[0;33mWARNING:\033[0m"
 NUMCHECK='^[0-9]+$'
 RAMAVAILABLE=$(awk '/MemAvailable/ {printf( "%d\n", $2 / 1024000 )}' /proc/meminfo)
-USER="steam"
+
+export CURRENTGID=$(id -g)
+export CURRENTUID=$(id -u)
+export HOME="/home/steam"
+export STEAMGID=$(id -g steam)
+export STEAMUID=$(id -u steam)
+export USER="steam"
 
 if [[ "${DEBUG,,}" == "true" ]]; then
     printf "Debugging enabled (the container will exit after printing the debug info)\\n\\nPrinting environment variables:\\n"
@@ -53,10 +57,13 @@ if [[ "${LOG,,}" != "true" ]]; then
     fi
 fi
 
-# check if the user and group IDs have been set. If so, reset HOME to the upstream default
 if [[ "$CURRENTUID" -ne "0" ]]; then
-    HOME="/root"
-    printf "${MSGWARNING} Current user (%s) is not root (0).\\nNo permissions will be adjusted as we're running within a rootless environment.\\n" "$CURRENTUID"
+    if [[ "$STEAMUID" -ne "$CURRENTUID" ]] || [[ "$STEAMGID" -ne $(id -g) ]]; then
+        printf "${MSGERROR} Current user (%s:%s) is not root (0:0), and doesn't match the steam user/group (%s:%s).\\nTo run the container as non-root with a UID/GID that differs from the steam user, you must build the Docker image with the UID and GID build arguments set.\\n" "$CURRENTUID" "$CURRENTGID" "$STEAMUID" "$STEAMGID"
+        exit 1
+    fi
+
+    printf "${MSGWARNING} Running as non-root user (%s:%s).\\n" "$CURRENTUID" "$CURRENTGID"
 fi
 
 if ! [[ "$PGID" =~ $NUMCHECK ]] ; then
