Merge pull request #199 from linuxserver/ro-non-root

Don't try and enable sudo if ro/non-root even if set
Support ro/non-root
2025-06-26 18:27:40 +00:00 · 2025-05-12 17:04:31 +01:00 · 2025-05-11 14:36:04 +01:00 · 2025-05-11 14:33:51 +01:00 · 2025-05-02 18:54:43 +00:00 · 2025-04-26 20:21:55 +00:00
16 changed files with 74 additions and 31 deletions
--- a/.editorconfig
+++ b/.editorconfig
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
--- a/.github/ISSUE_TEMPLATE/issue.bug.yml
+++ b/.github/ISSUE_TEMPLATE/issue.bug.yml
--- a/.github/ISSUE_TEMPLATE/issue.feature.yml
+++ b/.github/ISSUE_TEMPLATE/issue.feature.yml
--- a/.github/workflows/call_issue_pr_tracker.yml
+++ b/.github/workflows/call_issue_pr_tracker.yml
--- a/.github/workflows/call_issues_cron.yml
+++ b/.github/workflows/call_issues_cron.yml
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
--- a/.github/workflows/permissions.yml
+++ b/.github/workflows/permissions.yml
--- a/0
+++ b/0
--- a/README.md
+++ b/README.md
@@ -78,6 +78,23 @@ git config --global user.email "email address"

 How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed).

+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+### Caveats
+
+* `/tmp` must be mounted to tmpfs
+* `sudo` will not be available
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
+### Caveats
+
+* `sudo` will not be available
+
 ## Usage

 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -147,6 +164,8 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) |
 | `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default |
 | `-v /config` | Contains all relevant configuration files. |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |

 ## Environment variables from files (Docker secrets)

--- a/package_versions.txt
+++ b/package_versions.txt
@@ -77,7 +77,7 @@ chownr                                  1.1.4                              npm
 chownr                                  2.0.0                              npm                      
 clojure                                 1.0.0                              npm                      
 code-server                             1.99.3                             npm                      
-code-server                             4.99.3                             npm                      
+code-server                             4.99.4                             npm                      
 coffeescript                            1.0.0                              npm                      
 color-support                           1.1.3                              npm                      
 compressible                            2.0.18                             npm                      
@@ -254,7 +254,7 @@ latex                                   1.0.0                              npm
 less                                    1.0.0                              npm                      
 less                                    590-2ubuntu2.1                     deb                      
 libacl1                                 2.3.2-1build1.1                    deb                      
-libapparmor1                            4.0.1really4.0.1-0ubuntu0.24.04.3  deb                      
+libapparmor1                            4.0.1really4.0.1-0ubuntu0.24.04.4  deb                      
 libapt-pkg6.0t64                        2.7.14build2                       deb                      
 libassuan0                              2.5.6-1build1                      deb                      
 libatomic1                              14.2.0-4ubuntu2~24.04              deb                      
@@ -415,7 +415,7 @@ objective-c                             1.0.0                              npm
 on-finished                             2.4.1                              npm                      
 on-headers                              1.0.2                              npm                      
 once                                    1.4.0                              npm     (+1 duplicate)   
-openssh-client                          1:9.6p1-3ubuntu13.9                deb                      
+openssh-client                          1:9.6p1-3ubuntu13.11               deb                      
 openssl                                 3.0.13-0ubuntu3.5                  deb                      
 opentype.js                             0.8.0                              npm                      
 os-tmpdir                               1.0.2                              npm                      
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -36,6 +36,13 @@ opt_param_env_vars:
  - {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."}
  - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"}
  - {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"}
+readonly_supported: true
+readonly_message: |
+  * `/tmp` must be mounted to tmpfs
+  * `sudo` will not be available
+nonroot_supported: true
+nonroot_message: |
+  * `sudo` will not be available
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
--- a/root/etc/s6-overlay/s6-rc.d/init-code-server/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-code-server/run
@@ -3,18 +3,20 @@

 mkdir -p /config/{extensions,data,workspace,.ssh}

-if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
-    echo "setting up sudo access"
-    if ! grep -q 'abc' /etc/sudoers; then
-        echo "adding abc to sudoers"
-        echo "abc ALL=(ALL:ALL) ALL" >> /etc/sudoers
-    fi
-    if [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
-        echo "setting sudo password using sudo password hash"
-        sed -i "s|^abc:\!:|abc:${SUDO_PASSWORD_HASH}:|" /etc/shadow
-    else
-        echo "setting sudo password using SUDO_PASSWORD env var"
-        echo -e "${SUDO_PASSWORD}\n${SUDO_PASSWORD}" | passwd abc
+if [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ -z ${LSIO_READ_ONLY_FS} ]]; then
+    if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
+        echo "setting up sudo access"
+        if ! grep -q 'abc' /etc/sudoers; then
+            echo "adding abc to sudoers"
+            echo "abc ALL=(ALL:ALL) ALL" >> /etc/sudoers
+        fi
+        if [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
+            echo "setting sudo password using sudo password hash"
+            sed -i "s|^abc:\!:|abc:${SUDO_PASSWORD_HASH}:|" /etc/shadow
+        else
+            echo "setting sudo password using SUDO_PASSWORD env var"
+            echo -e "${SUDO_PASSWORD}\n${SUDO_PASSWORD}" | passwd abc
+        fi
    fi
 fi

@@ -26,17 +28,19 @@ if [[ ! -f /config/.profile ]]; then
    cp /root/.profile /config/.profile
 fi

-# fix permissions (ignore contents of workspace)
-PUID=${PUID:-911}
-if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
-    echo "Change in ownership or new install detected, please be patient while we chown existing files"
-    echo "This could take some time"
-    find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} +
-    lsiown abc:abc /config/workspace
-fi
-chmod 700 /config/.ssh
-if [[ -n "$(ls -A /config/.ssh)" ]]; then
-    find /config/.ssh/ -type d -exec chmod 700 '{}' \;
-    find /config/.ssh/ -type f -exec chmod 600 '{}' \;
-    find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \;
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    # fix permissions (ignore contents of workspace)
+    PUID=${PUID:-911}
+    if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
+        echo "Change in ownership or new install detected, please be patient while we chown existing files"
+        echo "This could take some time"
+        find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} +
+        lsiown abc:abc /config/workspace
+    fi
+    chmod 700 /config/.ssh
+    if [[ -n "$(ls -A /config/.ssh)" ]]; then
+        find /config/.ssh/ -type d -exec chmod 700 '{}' \;
+        find /config/.ssh/ -type f -exec chmod 600 '{}' \;
+        find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \;
+    fi
 fi
--- a/root/etc/s6-overlay/s6-rc.d/svc-code-server/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-code-server/run
@@ -14,9 +14,21 @@ else
    PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}"
 fi

-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
-        s6-setuidgid abc \
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
+            s6-setuidgid abc \
+                /app/code-server/bin/code-server \
+                    --bind-addr 0.0.0.0:8443 \
+                    --user-data-dir /config/data \
+                    --extensions-dir /config/extensions \
+                    --disable-telemetry \
+                    --auth "${AUTH}" \
+                    "${PROXY_DOMAIN_ARG}" \
+                    "${DEFAULT_WORKSPACE:-/config/workspace}"
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
            /app/code-server/bin/code-server \
                --bind-addr 0.0.0.0:8443 \
                --user-data-dir /config/data \
@@ -25,3 +37,4 @@ exec \
                --auth "${AUTH}" \
                "${PROXY_DOMAIN_ARG}" \
                "${DEFAULT_WORKSPACE:-/config/workspace}"
+fi
Author	SHA1	Message	Date
Adam	6b64e1e967	Merge pull request #199 from linuxserver/ro-non-root	2025-05-12 17:04:31 +01:00
thespad	a7294dfb09	Don't try and enable sudo if ro/non-root even if set	2025-05-11 14:36:04 +01:00
thespad	a7e2b20ca2	Support ro/non-root	2025-05-11 14:33:51 +01:00
LinuxServer-CI	badac0c5f0	Bot Updating Package Versions Some checks failed Package Trigger Scheduler / package-trigger-scheduler (push) Has been cancelled Details	2025-05-02 18:54:43 +00:00
LinuxServer-CI	e14c470234	Bot Updating Package Versions	2025-04-26 20:21:55 +00:00