With autopause, provide option to start knockd without sudo

This commit is contained in:
Geoff Bourne
2023-10-08 11:00:14 -05:00
parent ec539a5dd2
commit 6fce520004
6 changed files with 14 additions and 7 deletions
+2 -5
View File
@@ -9,14 +9,11 @@ ARG TARGETOS
ARG TARGETARCH ARG TARGETARCH
ARG TARGETVARIANT ARG TARGETVARIANT
# CI system should set this to a hash or git revision of the build directory and it's contents to
# ensure consistent cache updates.
ARG BUILD_FILES_REV=1
RUN --mount=target=/build,source=build \ RUN --mount=target=/build,source=build \
REV=${BUILD_FILES_REV} TARGET=${TARGETARCH}${TARGETVARIANT} /build/run.sh install-packages TARGET=${TARGETARCH}${TARGETVARIANT} /build/run.sh install-packages
RUN --mount=target=/build,source=build \ RUN --mount=target=/build,source=build \
REV=${BUILD_FILES_REV} /build/run.sh setup-user /build/run.sh setup-user
COPY --chmod=644 files/sudoers* /etc/sudoers.d COPY --chmod=644 files/sudoers* /etc/sudoers.d
+3 -1
View File
@@ -26,9 +26,11 @@ apk add --no-cache -U \
zstd \ zstd \
nfs-utils \ nfs-utils \
libpcap \ libpcap \
libwebp libwebp \
libcap
# Patched knockd # Patched knockd
curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-alpine-amd64.tar.gz curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-alpine-amd64.tar.gz
tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
ln -s /usr/local/sbin/knockd /usr/sbin/knockd ln -s /usr/local/sbin/knockd /usr/sbin/knockd
setcap cap_net_raw=ep /usr/local/sbin/knockd
+1
View File
@@ -46,3 +46,4 @@ bash /build/ol/install-gosu.sh
curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz
tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
ln -s /usr/local/sbin/knockd /usr/sbin/knockd ln -s /usr/local/sbin/knockd /usr/sbin/knockd
setcap cap_net_raw=ep /usr/local/sbin/knockd
+1
View File
@@ -35,4 +35,5 @@ apt-get clean
curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz
tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
ln -s /usr/local/sbin/knockd /usr/sbin/knockd ln -s /usr/local/sbin/knockd /usr/sbin/knockd
setcap cap_net_raw=ep /usr/local/sbin/knockd
find /usr/lib -name 'libpcap.so.0.8' -execdir cp '{}' libpcap.so.1 \; find /usr/lib -name 'libpcap.so.0.8' -execdir cp '{}' libpcap.so.1 \;
@@ -38,6 +38,8 @@ The following environment variables define the behaviour of auto-pausing:
describes period of the daemonized state machine, that handles the pausing of the process (resuming is done independently) describes period of the daemonized state machine, that handles the pausing of the process (resuming is done independently)
- `AUTOPAUSE_KNOCK_INTERFACE`, default `eth0` - `AUTOPAUSE_KNOCK_INTERFACE`, default `eth0`
<br>Describes the interface passed to the `knockd` daemon. If the default interface does not work, run the `ifconfig` command inside the container and derive the interface receiving the incoming connection from its output. The passed interface must exist inside the container. Using the loopback interface (`lo`) does likely not yield the desired results. <br>Describes the interface passed to the `knockd` daemon. If the default interface does not work, run the `ifconfig` command inside the container and derive the interface receiving the incoming connection from its output. The passed interface must exist inside the container. Using the loopback interface (`lo`) does likely not yield the desired results.
- `AUTOPAUSE_SUDO`, default "true"
specifies if the knockd service should be run via sudo in order to elevate its privileges
!!! tip !!! tip
+5 -1
View File
@@ -45,7 +45,11 @@ if isTrue "${DEBUG_AUTOPAUSE}"; then
knockdArgs+=(-D) knockdArgs+=(-D)
fi fi
sudo /usr/local/sbin/knockd "${knockdArgs[@]}" if isTrue "${AUTOPAUSE_SUDO:-true}"; then
sudo /usr/local/sbin/knockd "${knockdArgs[@]}"
else
/usr/local/sbin/knockd "${knockdArgs[@]}"
fi
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
logAutopause "Failed to start knockd daemon." logAutopause "Failed to start knockd daemon."
logAutopause "Probable cause: Unable to attach to interface \"$AUTOPAUSE_KNOCK_INTERFACE\"." logAutopause "Probable cause: Unable to attach to interface \"$AUTOPAUSE_KNOCK_INTERFACE\"."