From a1f3a9e38f2fa48557a55f7994ea0da64e53f054 Mon Sep 17 00:00:00 2001 From: Niklas Teichmann Date: Wed, 2 Jul 2025 13:22:49 +0200 Subject: [PATCH] Refactored docker-entrypoint.sh to add docker group - moved most of docker-entrypoint.sh into start-haproxy.sh - made container run as root initially, assign group of docker socket to haproxy user and execute start-haproxy.sh as haproxy - passthrough positional parameters to start-haproxy - updated documentation --- Dockerfile | 4 +++- README.md | 3 --- docker-entrypoint.sh | 33 +++++---------------------------- start-haproxy.sh | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 40 insertions(+), 32 deletions(-) create mode 100755 start-haproxy.sh diff --git a/Dockerfile b/Dockerfile index c68d4d6..fd8ed69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,4 +32,6 @@ ENV ALLOW_RESTARTS=0 \ VERSION=1 \ VOLUMES=0 COPY docker-entrypoint.sh /usr/local/bin/ -COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg \ No newline at end of file +COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg +COPY start-haproxy.sh /usr/local/bin/ +USER root \ No newline at end of file diff --git a/README.md b/README.md index ce71753..63f83a5 100644 --- a/README.md +++ b/README.md @@ -41,14 +41,11 @@ never happen. $ docker container run \ -d \ - --group-add "$(getent group docker | cut -d: -f3)" \ --name dockerproxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 127.0.0.1:2375:2375 \ tecnativa/docker-socket-proxy - The `--group-add` adds the container's user (`haproxy`) to the `docker` group, allowing access to the Docker socket. This assumes that the `docker` group exists and has access to the Docker socket. - An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked. 2. Connect your local docker client to that socket: diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 59f703b..5832f6b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,32 +1,9 @@ #!/bin/sh set -e -# Normalize the input for DISABLE_IPV6 to lowercase -DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]') +# add haproxy user to group of docker socket +DOCKER_GROUP=$(stat -c %G "$SOCKET_PATH") +adduser haproxy "$DOCKER_GROUP" -# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly -case "$DISABLE_IPV6_LOWER" in - 1|true|yes) - export BIND_PORT=':2375' - export BIND_OPTIONS='' - ;; - *) - export BIND_PORT=':::2375' - export BIND_OPTIONS='v4v6' - ;; -esac - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- haproxy "$@" -fi - -if [ "$1" = 'haproxy' ]; then - shift # "haproxy" - # if the user wants "haproxy", let's add a couple useful flags - # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") - # -db -- disables background mode - set -- haproxy -W -db "$@" -fi - -exec "$@" +# continue as haproxy user, preserving entrypoint parameters +su -s /bin/sh -c 'start-haproxy.sh "$@"' haproxy -- "$@" \ No newline at end of file diff --git a/start-haproxy.sh b/start-haproxy.sh new file mode 100755 index 0000000..cfbe8c6 --- /dev/null +++ b/start-haproxy.sh @@ -0,0 +1,32 @@ +#!/bin/sh +set -e + +# Normalize the input for DISABLE_IPV6 to lowercase +DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]') + +# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly +case "$DISABLE_IPV6_LOWER" in + 1|true|yes) + export BIND_PORT=':2375' + export BIND_OPTIONS='' + ;; + *) + export BIND_PORT=':::2375' + export BIND_OPTIONS='v4v6' + ;; +esac + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + +exec "$@" \ No newline at end of file