Refactored docker-entrypoint.sh to add docker group

- moved most of docker-entrypoint.sh into start-haproxy.sh
- made container run as root initially, assign group of docker socket to haproxy user and execute start-haproxy.sh as haproxy
- passthrough positional parameters to start-haproxy
- updated documentation

Dockerfile

@@ -33,3 +33,5 @@ ENV ALLOW_RESTARTS=0 \
     VOLUMES=0
 COPY docker-entrypoint.sh /usr/local/bin/
 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY start-haproxy.sh /usr/local/bin/
+USER root

README.md

@@ -41,14 +41,11 @@ never happen.
 
         $ docker container run \
             -d \
-            --group-add "$(getent group docker | cut -d: -f3)" \
             --name dockerproxy \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -p 127.0.0.1:2375:2375 \
             tecnativa/docker-socket-proxy
 
-    The `--group-add` adds the container's user (`haproxy`) to the `docker` group, allowing access to the Docker socket. This assumes that the `docker` group exists and has access to the Docker socket.
-    
     An additional `--privileged` flag is required in some SELinux/AppArmor contexts, because the Docker socket is considered a privileged resource and might otherwise be blocked.
 
 2.  Connect your local docker client to that socket:

docker-entrypoint.sh

@@ -1,32 +1,9 @@
 #!/bin/sh
 set -e
 
-# Normalize the input for DISABLE_IPV6 to lowercase
-DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
+# add haproxy user to group of docker socket
+DOCKER_GROUP=$(stat -c %G "$SOCKET_PATH")
+adduser haproxy "$DOCKER_GROUP"
 
-# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly
-case "$DISABLE_IPV6_LOWER" in
-    1|true|yes)
-        export BIND_PORT=':2375'
-        export BIND_OPTIONS=''
-        ;;
-    *)
-        export BIND_PORT=':::2375'
-        export BIND_OPTIONS='v4v6'
-        ;;
-esac
-
-# first arg is `-f` or `--some-option`
-if [ "${1#-}" != "$1" ]; then
-	set -- haproxy "$@"
-fi
-
-if [ "$1" = 'haproxy' ]; then
-	shift # "haproxy"
-	# if the user wants "haproxy", let's add a couple useful flags
-	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
-	#   -db -- disables background mode
-	set -- haproxy -W -db "$@"
-fi
-
-exec "$@"
+# continue as haproxy user, preserving entrypoint parameters
+su -s /bin/sh -c 'start-haproxy.sh "$@"' haproxy -- "$@"

start-haproxy.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+# Normalize the input for DISABLE_IPV6 to lowercase
+DISABLE_IPV6_LOWER=$(echo "$DISABLE_IPV6" | tr '[:upper:]' '[:lower:]')
+ 
+# Check for different representations of 'true' and set BIND_PORT and BIND_OPTIONS accordingly
+case "$DISABLE_IPV6_LOWER" in
+    1|true|yes)
+        export BIND_PORT=':2375'
+        export BIND_OPTIONS=''
+        ;;
+    *)
+        export BIND_PORT=':::2375'
+        export BIND_OPTIONS='v4v6'
+        ;;
+esac
+ 
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- haproxy "$@"
+fi
+ 
+if [ "$1" = 'haproxy' ]; then
+	shift # "haproxy"
+	# if the user wants "haproxy", let's add a couple useful flags
+	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
+	#   -db -- disables background mode
+	set -- haproxy -W -db "$@"
+fi
+ 
+exec "$@"