diff --git a/Dockerfile b/Dockerfile index 2196d13e..e95a3682 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ RUN apt-get update \ RUN addgroup --gid 1000 minecraft \ && adduser --system --shell /bin/false --uid 1000 --ingroup minecraft --home /data minecraft -COPY files/sudoers* /etc/sudoers.d +COPY --chmod=644 files/sudoers* /etc/sudoers.d EXPOSE 25565 25575 @@ -78,15 +78,14 @@ ENV UID=1000 GID=1000 \ ENABLE_AUTOPAUSE=false AUTOPAUSE_TIMEOUT_EST=3600 AUTOPAUSE_TIMEOUT_KN=120 AUTOPAUSE_TIMEOUT_INIT=600 \ AUTOPAUSE_PERIOD=10 AUTOPAUSE_KNOCK_INTERFACE=eth0 -COPY scripts/start* / -COPY bin/ /usr/local/bin/ -COPY bin/mc-health /health.sh -COPY files/server.properties /tmp/server.properties -COPY files/log4j2.xml /tmp/log4j2.xml -COPY files/autopause /autopause +COPY --chmod=755 scripts/start* / +COPY --chmod=755 bin/ /usr/local/bin/ +COPY --chmod=755 bin/mc-health /health.sh +COPY --chmod=644 files/server.properties /tmp/server.properties +COPY --chmod=644 files/log4j2.xml /tmp/log4j2.xml +COPY --chmod=755 files/autopause /autopause -RUN dos2unix /start* && chmod +x /start* \ - && dos2unix /autopause/* && chmod +x /autopause/*.sh +RUN dos2unix /start* /autopause/* ENTRYPOINT [ "/start" ] HEALTHCHECK --start-period=1m CMD mc-health diff --git a/docker-versions-create.sh b/docker-versions-create.sh index e82dc7bf..a5c07e7e 100755 --- a/docker-versions-create.sh +++ b/docker-versions-create.sh @@ -147,7 +147,7 @@ if [[ $tag ]]; then "generate_release_notes": true } EOF - if ! echo curl "${auth[@]}" -H "Accept: application/vnd.github.v3+json" \ + if ! curl "${auth[@]}" -H "Accept: application/vnd.github.v3+json" \ "${base}/repos/${owner}/${repo}/releases" -d "$releaseBody"; then echo "ERROR failed to create github release $tag" exit 1 diff --git a/scripts/start-finalExec b/scripts/start-finalExec index e34222c6..8e684d97 100755 --- a/scripts/start-finalExec +++ b/scripts/start-finalExec @@ -107,7 +107,36 @@ if [ -n "$ICON" ]; then fi fi +canUseRollingLogs=true + +patchLog4jConfig() { + file=${1?} + url=${2?} + if ! get -o "$file" "$url"; then + log "ERROR: failed to download corrected log4j config" + exit 1 + fi + JVM_OPTS="-Dlog4j.configurationFile=${file} ${JVM_OPTS}" + canUseRollingLogs=false +} + +# Patch Log4j remote code execution vulnerability +# See https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition +if versionLessThan 1.7; then + : # No patch required here. +elif isFamily VANILLA && versionLessThan 1.12; then + patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml +elif isFamily VANILLA && versionLessThan 1.17; then + patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml +elif versionLessThan 1.18.1; then + JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}" +fi + if isTrue ${ENABLE_ROLLING_LOGS:-false}; then + if ! ${canUseRollingLogs}; then + log "ERROR: Using rolling logs is currently not possible in the selected version due to CVE-2021-44228" + exit 1 + fi # Set up log configuration LOGFILE="/data/log4j2.xml" if [ ! -e "$LOGFILE" ]; then @@ -150,28 +179,6 @@ if [ -n "$JVM_DD_OPTS" ]; then done fi -patchLog4jConfig() { - file=${1?} - url=${2?} - if ! get -o "$file" "$url"; then - log "ERROR: failed to download corrected log4j config" - exit 1 - fi - JVM_OPTS="-Dlog4j.configurationFile=${file} ${JVM_OPTS}" -} - -# Patch Log4j remote code execution vulnerability -# See https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition -if versionLessThan 1.7; then - : # No patch required here. -elif isFamily VANILLA && versionLessThan 1.12; then - patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml -elif isFamily VANILLA && versionLessThan 1.17; then - patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml -elif versionLessThan 1.18.1; then - JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}" -fi - if isTrue ${ENABLE_JMX}; then : ${JMX_PORT:=7091} JVM_OPTS="${JVM_OPTS}