PUID and PGID Environment Variable Support and some changes changes to VCS functions #77
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit refactors the Docker startup to securely support setting the container's user (PUID) and group (PGID) IDs at runtime, which is standard practice for deployment platforms like Unraid/Docker Compose. Key changes: - **PUID/PGID Wrapper:** The original 'entrypoint.sh' was renamed to 'run-imapfilter.sh' and a new 'entrypoint.sh' was created to serve as a root-level wrapper. - **Robust ID Checks:** The new wrapper script efficiently checks if the 'imapfilter' user/group already exists with the target PUID and PGID before deleting and re-creating them. - **Privilege Dropping:** The container starts as root (temporarily) to perform user setup, then uses 'exec su' to immediately drop privileges and launch '/run-imapfilter.sh' as the configured non-root user. - **Default:** PUID and PGID default to 1001 if not provided.
## Feature: Dynamic PUID/PGID Support & Robust VCS Updates This series of changes fundamentally refactors the container's start-up process to enable **dynamic user management (PUID/PGID)** and significantly enhance the **security and reliability of the Git VCS configuration pull**. *** ### 1. New Security and Flexibility: PUID/PGID Support The container now runs the application as a non-root user that is created dynamically to match the host system's User ID (`$PUID`) and Group ID (`$PGID`). This is achieved by splitting the start-up logic: #### `entrypoint.sh` (New Root Wrapper) * **Privilege Management:** The script runs as `root` to handle all user/group creation and privilege fixing. * **Dynamic ID Check:** It uses `getent` to check if the `imapfilter` group and user exist and, more importantly, verifies that their current GID and UID match the passed `$PGID` and `$PUID` environment variables. * **Robust Re-creation:** If any ID mismatch is detected, the group/user is safely deleted and re-created with the correct IDs. * **Privilege Drop:** The script finishes by running **`exec su "$USER_NAME" -c /run-imapfilter.sh`** to safely drop all root privileges before executing the core application script. #### `Dockerfile` Updates * **Static User Removed:** The old, static user creation was removed from the image build. * **Dependencies Added:** The **`shadow`** package was added (`RUN apk add … shadow`) to provide the necessary utilities (`deluser`, `addgroup`, `su`) for the dynamic user management script. *** ### 2. Enhanced VCS Stability and Security The `run-imapfilter.sh` script, which now executes as a low-privilege user, was hardened to make Git authentication with Personal Access Tokens (PATs) reliable and secure. #### `run-imapfilter.sh` Changes | Function | Change | Purpose | | :--- | :--- | :--- | | `vcs_token()` | Added **`| tr -d '[:space:]'`** to token retrieval. | **Fixes Authentication:** Strips all whitespace, including the trailing newline from Docker Secrets, which previously invalidated the token string. | | `vcs_uri()` | Implemented a **protocol stripping check** using `case "$GIT_TARGET" in *://*`)`. | **Prevents Malformed URI:** Ensures the script never creates an invalid double-prefixed URL like `https://token@https://github.com/...` if the user provides a full URL in `$GIT_TARGET`. | | `pull_config()` | Retained the **`--verbose`** Git flag with output redirection (`2>&1`). | **Improved Diagnostics:** Keeps the detailed Git error output visible in the logs for quick troubleshooting of future authentication or network issues, while removing non-critical debug messages to reduce log noise. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature: Dynamic PUID/PGID & Robust VCS Stability
This PR introduces essential functionality for managing user privileges and significantly enhances the reliability of fetching configuration via Git, addressing common failure points related to secrets and shell execution.
1. Security & Dynamic PUID/PGID Support
The container now runs the application as a non-root user that dynamically matches the host's User ID (PUID) and Group ID (PGID). These environment variables are optional and will default to 1001 if not provided. This enhances security and ensures correct file ownership.
entrypoint.sh(New)exec suto safely drop privileges before running the application.rootafter setup.Dockerfileshadowpackage.2. Robust VCS Integration
The core application script, now named
run-imapfilter.sh(renamed from the original entrypoint), continues to execute as a low-privilege user and was hardened to make Git authentication with Personal Access Tokens (PATs) more reliable.vcs_token()tr -d '[:space:]'to token retrieval.vcs_uri()casestatement (${GIT_TARGET#*://}).https://...https://).pull_config()git pull --ff-onlycommand withgit -C <path>and added the--verboseflag.cd/cd -) and simplifies complex update logic into a single, reliable step while making error output visible in the logs for quick troubleshooting.--verboseand2>&1).