diff --git a/CLAUDE.md b/CLAUDE.md index 65bbb33..f8e424e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -30,7 +30,7 @@ make build_scratch_multi - `base.alpine/` - Alpine runtime image - `Dockerfile` - image definition - - `files/init.sh` - entrypoint script, handles timezone and UID setup, drops to app user + - `files/init.sh` - entrypoint script, handles timezone, UID, and docker GID setup, drops to app user - `files/init-root.sh` - alternative entrypoint for root execution - `base.scratch/` - Scratch runtime image (builds /nop wait program from C) - `build.go/` - Go build image diff --git a/README.md b/README.md index f6a0909..d03cf52 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ The container can be customized in runtime by setting environment from docker's - `TIME_ZONE` - set container's TZ, default "America/Chicago". For scratch-based `TZ` should be used instead - `APP_UID` - UID of internal `app` user, default 1001 +- `DOCKER_GID` - GID of the docker group, default 999. Useful when mounting docker socket with a different GID on the host ### Working with Docker from inside container @@ -44,6 +45,17 @@ The `app` user is a member of the `docker` group. That allows it to interact wit Under standard usage, the Docker socket is not mounted into the container. In such cases, the docker group membership does not grant the app user any elevated privileges. The container remains secure and operates with an unprivileged user. +When the host's docker group has a different GID than the container's default (999), set `DOCKER_GID` to match the host's GID: + +```bash +# find your host docker GID +stat -c %g /var/run/docker.sock # Linux +stat -f %g /var/run/docker.sock # macOS + +# run with matching GID +docker run -e DOCKER_GID=998 -v /var/run/docker.sock:/var/run/docker.sock +``` + #### Security Implications Mounting the Docker socket into a container can pose a security risk, as it effectively grants the container access to the Docker host and its containers. This is not specific to this image but is a general consideration when working with Docker. diff --git a/base.alpine/files/init.sh b/base.alpine/files/init.sh index a379861..a4e6e68 100644 --- a/base.alpine/files/init.sh +++ b/base.alpine/files/init.sh @@ -18,6 +18,35 @@ if [[ ${uid} -eq 0 ]]; then else echo "custom APP_UID not defined, using default uid=1001" fi + + # set GID for docker group + if [[ "${DOCKER_GID}" -ne "999" ]]; then + echo "set custom DOCKER_GID=${DOCKER_GID}" + # check if another group already uses this GID + existing_group=$(getent group "${DOCKER_GID}" | cut -d: -f1) + if [[ -n "${existing_group}" && "${existing_group}" != "docker" ]]; then + # reuse existing group - add app to it for socket access + echo "GID ${DOCKER_GID} used by '${existing_group}', adding app to it" + if ! addgroup app "${existing_group}"; then + echo "error: failed to add app user to group '${existing_group}'" + exit 1 + fi + else + # no collision - create docker group with requested GID + delgroup docker 2>/dev/null || true + if ! addgroup -g "${DOCKER_GID}" docker; then + echo "error: failed to create docker group with GID=${DOCKER_GID}" + exit 1 + fi + if ! addgroup app docker; then + echo "error: failed to add app user to docker group" + exit 1 + fi + fi + else + echo "custom DOCKER_GID not defined, using default gid=999" + fi + chown -R app:app /srv /home/app fi