Issue #46 clarify capability requirements for samba-dc

instantlinux · Jan 9, 2022 · 8d2f6ec · 8d2f6ec
1 parent 623f2cc
commit 8d2f6ec
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/images/samba-dc/README.md b/images/samba-dc/README.md
@@ -9,7 +9,7 @@ The most-common directives can be specified in environment variables as shown be
 Basic requirements:
 
 * A Domain Controller must have a static IP address and persistent DNS entry
-* This container must be run in network_mode:host
+* This container must be run in network_mode:host, and with cap_add:CAP_SYS_ADMIN privs
 * A NETBIOS_NAME or hostname must be specified, which becomes the netbios name.
 
 The directories /etc/samba and /var/lib/samba must be mounted as persistent volumes. If /var/lib/samba is empty, the "provision" or "join" action specified in DOMAIN_ACTION variable will be taken.

diff --git a/images/samba-dc/docker-compose.yml b/images/samba-dc/docker-compose.yml
@@ -5,6 +5,8 @@ services:
     image: ${REGISTRY_URI:-instantlinux}/samba-dc:latest
     restart: always
     network_mode: host
+    cap_add:
+      - CAP_SYS_ADMIN
     hostname: ${SAMBADC_HOSTNAME:-dc.example.com}
     environment:
       DOMAIN_ACTION: join

diff --git a/images/samba-dc/entrypoint.sh b/images/samba-dc/entrypoint.sh
@@ -14,6 +14,10 @@ if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
 fi
 
 if [ ! -f /var/lib/samba/registry.tdb ]; then
+  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
+    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
+    exit 1
+  fi
   ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
   if [ "$BIND_INTERFACES_ONLY" == yes ]; then
     INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \