Process rcon password as regular user (#2511)

2026-02-28 11:56:25 +00:00 · 2023-11-25 18:30:18 -06:00
parent 051436c1df
commit 9d7232c8b8
4 changed files with 51 additions and 40 deletions
--- a/scripts/start
+++ b/scripts/start
@@ -9,18 +9,13 @@

 umask 0002

-if isTrue "${ENABLE_RCON:-true}" && ! [ -v RCON_PASSWORD ] && ! [ -v RCON_PASSWORD_FILE ]; then
-  RCON_PASSWORD=$(openssl rand -hex 12)
-  export RCON_PASSWORD
-fi
+# Remove from previous run and do this as elevated user since file used to be created before demoting
+rm -f "$HOME/.rcon-cli.env"

 if ! isTrue "${SKIP_SUDO:-false}" && [ "$(id -u)" = 0 ]; then
  runAsUser=minecraft
  runAsGroup=minecraft

-  # For rcon-cli access running via exec, which by default is running as root
-  echo "password=${RCON_PASSWORD}" > "$HOME/.rcon-cli.env"
-
  if [[ -v UID ]]; then
    if [[ $UID != 0 ]]; then
      if [[ $UID != $(id -u minecraft) ]]; then
--- a/scripts/start-configuration
+++ b/scripts/start-configuration
@@ -15,11 +15,9 @@ IFS=$'\n\t'
 : "${RCON_CMDS_FIRST_CONNECT:=}"
 : "${RCON_CMDS_LAST_DISCONNECT:=}"
 : "${RCON_CMDS_PERIOD:=10}"
-: "${RCON_PASSWORD_FILE:=}"
 : "${ENABLE_RCON:=true}"
-: "${RCON_PASSWORD:=minecraft}"
 : "${RCON_PORT:=25575}"
-export ENABLE_RCON RCON_PASSWORD RCON_PORT
+export ENABLE_RCON RCON_PORT

 : "${MEMORY=1G}"
 : "${INIT_MEMORY=${MEMORY}}"
@@ -49,6 +47,36 @@ if [ ! -e /data/eula.txt ]; then
  writeEula
 fi

+##########################################
+# Setup RCON password
+
+if isTrue "${ENABLE_RCON:-true}" && ! [[ -v RCON_PASSWORD ]] && ! [[ -v RCON_PASSWORD_FILE ]]; then
+  RCON_PASSWORD=$(openssl rand -hex 12)
+  export RCON_PASSWORD
+fi
+
+if [[ -v RCON_PASSWORD_FILE ]]; then
+    if [ ! -e "${RCON_PASSWORD_FILE}" ]; then
+      log ""
+      log "Initial RCON password file ${RCON_PASSWORD_FILE} does not seems to exist."
+      log "Please ensure your configuration."
+      log "If you are using Docker Secrets feature, please check this for further information: "
+      log " https://docs.docker.com/engine/swarm/secrets"
+      log ""
+      exit 1
+    else
+      RCON_PASSWORD=$(cat "${RCON_PASSWORD_FILE}")
+      export RCON_PASSWORD
+    fi
+fi
+
+# For rcon-cli access running via exec, which by default is running as root
+echo "password=${RCON_PASSWORD}" > "$HOME/.rcon-cli.env"
+echo "password: \"${RCON_PASSWORD}\"" > "$HOME/.rcon-cli.yaml"
+
+##########################################
+# Auto-pause/stop
+
 if isTrue "${ENABLE_AUTOPAUSE}" && isTrue "${EXEC_DIRECTLY:-false}"; then
    log "EXEC_DIRECTLY=true is incompatible with ENABLE_AUTOPAUSE=true"
    exit 1
@@ -67,25 +95,6 @@ if [[ $PROXY ]]; then
    sleep 5
 fi

-if [[ $RCON_PASSWORD_FILE ]]; then
-    log ""
-    if [ ! -e ${RCON_PASSWORD_FILE} ]; then
-	log "Initial RCON password file ${RCON_PASSWORD_FILE} does not seems to exist."
-	log "Please ensure your configuration."
-	log "If you are using Docker Secrets feature, please check this for further information: "
-	log " https://docs.docker.com/engine/swarm/secrets"
-	log ""
-	exit 1
-    else
-	RCON_PASSWORD=$(cat ${RCON_PASSWORD_FILE})
-	export RCON_PASSWORD
-    fi
-    log ""
-fi
-
-# For rcon-cli access
-echo "password=${RCON_PASSWORD}" > "$HOME/.rcon-cli.env"
-
 function fixJavaPath() {
  # Some Docker management UIs grab all the image declared variables and present them for configuration.
  # When upgrading images across Java versions, that creates a mismatch in PATH's expected by base image.