Merge pull request #199 from linuxserver/ro-non-root

README.md

@@ -78,6 +78,23 @@ git config --global user.email "email address"
 
 How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed).
 
+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+### Caveats
+
+* `/tmp` must be mounted to tmpfs
+* `sudo` will not be available
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
+### Caveats
+
+* `sudo` will not be available
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -147,6 +164,8 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) |
 | `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default |
 | `-v /config` | Contains all relevant configuration files. |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 

readme-vars.yml

@@ -36,6 +36,13 @@ opt_param_env_vars:
   - {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."}
   - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"}
   - {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"}
+readonly_supported: true
+readonly_message: |
+  * `/tmp` must be mounted to tmpfs
+  * `sudo` will not be available
+nonroot_supported: true
+nonroot_message: |
+  * `sudo` will not be available
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |

root/etc/s6-overlay/s6-rc.d/init-code-server/run

@@ -3,7 +3,8 @@
 
 mkdir -p /config/{extensions,data,workspace,.ssh}
 
-if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
+if [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ -z ${LSIO_READ_ONLY_FS} ]]; then
+    if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
         echo "setting up sudo access"
         if ! grep -q 'abc' /etc/sudoers; then
             echo "adding abc to sudoers"
@@ -16,6 +17,7 @@ if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
             echo "setting sudo password using SUDO_PASSWORD env var"
             echo -e "${SUDO_PASSWORD}\n${SUDO_PASSWORD}" | passwd abc
         fi
+    fi
 fi
 
 if [[ ! -f /config/.bashrc ]]; then
@@ -26,17 +28,19 @@ if [[ ! -f /config/.profile ]]; then
     cp /root/.profile /config/.profile
 fi
 
-# fix permissions (ignore contents of workspace)
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
-PUID=${PUID:-911}
+    # fix permissions (ignore contents of workspace)
-if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
+    PUID=${PUID:-911}
+    if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
         echo "Change in ownership or new install detected, please be patient while we chown existing files"
         echo "This could take some time"
         find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} +
         lsiown abc:abc /config/workspace
-fi
+    fi
-chmod 700 /config/.ssh
+    chmod 700 /config/.ssh
-if [[ -n "$(ls -A /config/.ssh)" ]]; then
+    if [[ -n "$(ls -A /config/.ssh)" ]]; then
         find /config/.ssh/ -type d -exec chmod 700 '{}' \;
         find /config/.ssh/ -type f -exec chmod 600 '{}' \;
         find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \;
+    fi
 fi

root/etc/s6-overlay/s6-rc.d/svc-code-server/run

@@ -14,7 +14,8 @@ else
     PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}"
 fi
 
-exec \
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
         s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
             s6-setuidgid abc \
                 /app/code-server/bin/code-server \
@@ -25,3 +26,15 @@ exec \
                     --auth "${AUTH}" \
                     "${PROXY_DOMAIN_ARG}" \
                     "${DEFAULT_WORKSPACE:-/config/workspace}"
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
+            /app/code-server/bin/code-server \
+                --bind-addr 0.0.0.0:8443 \
+                --user-data-dir /config/data \
+                --extensions-dir /config/extensions \
+                --disable-telemetry \
+                --auth "${AUTH}" \
+                "${PROXY_DOMAIN_ARG}" \
+                "${DEFAULT_WORKSPACE:-/config/workspace}"
+fi