With autopause, provide option to start knockd without sudo

2023-10-08 11:00:14 -05:00 · 2023-10-08 11:00:14 -05:00 · 6fce520004
parent ec539a5dd2
commit 6fce520004
6 changed files with 14 additions and 7 deletions
--- a/7
+++ b/7
@ -9,14 +9,11 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT

-# CI system should set this to a hash or git revision of the build directory and it's contents to
-# ensure consistent cache updates.
-ARG BUILD_FILES_REV=1
 RUN --mount=target=/build,source=build \
-    REV=${BUILD_FILES_REV} TARGET=${TARGETARCH}${TARGETVARIANT} /build/run.sh install-packages
+    TARGET=${TARGETARCH}${TARGETVARIANT} /build/run.sh install-packages

 RUN --mount=target=/build,source=build \
-    REV=${BUILD_FILES_REV} /build/run.sh setup-user
+    /build/run.sh setup-user

 COPY --chmod=644 files/sudoers* /etc/sudoers.d

--- a/build/alpine/install-packages.sh
+++ b/build/alpine/install-packages.sh
@ -26,9 +26,11 @@ apk add --no-cache -U \
    zstd \
    nfs-utils \
    libpcap \
-    libwebp
+    libwebp \
+    libcap

 # Patched knockd
 curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-alpine-amd64.tar.gz
 tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
 ln -s /usr/local/sbin/knockd /usr/sbin/knockd
+setcap cap_net_raw=ep /usr/local/sbin/knockd
--- a/build/ol/install-packages.sh
+++ b/build/ol/install-packages.sh
@ -46,3 +46,4 @@ bash /build/ol/install-gosu.sh
 curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz
 tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
 ln -s /usr/local/sbin/knockd /usr/sbin/knockd
+setcap cap_net_raw=ep /usr/local/sbin/knockd
--- a/build/ubuntu/install-packages.sh
+++ b/build/ubuntu/install-packages.sh
@ -35,4 +35,5 @@ apt-get clean
 curl -fsSL -o /tmp/knock.tar.gz https://github.com/Metalcape/knock/releases/download/0.8.1/knock-0.8.1-$TARGET.tar.gz
 tar -xf /tmp/knock.tar.gz -C /usr/local/ && rm /tmp/knock.tar.gz
 ln -s /usr/local/sbin/knockd /usr/sbin/knockd
+setcap cap_net_raw=ep /usr/local/sbin/knockd
 find /usr/lib -name 'libpcap.so.0.8' -execdir cp '{}' libpcap.so.1 \;
--- a/docs/misc/autopause-autostop/autopause.md
+++ b/docs/misc/autopause-autostop/autopause.md
@ -38,6 +38,8 @@ The following environment variables define the behaviour of auto-pausing:
  describes period of the daemonized state machine, that handles the pausing of the process (resuming is done independently)
 - `AUTOPAUSE_KNOCK_INTERFACE`, default `eth0`
  <br>Describes the interface passed to the `knockd` daemon. If the default interface does not work, run the `ifconfig` command inside the container and derive the interface receiving the incoming connection from its output. The passed interface must exist inside the container. Using the loopback interface (`lo`) does likely not yield the desired results.
+- `AUTOPAUSE_SUDO`, default "true"
+  specifies if the knockd service should be run via sudo in order to elevate its privileges

 !!! tip

--- a/files/auto/autopause-daemon.sh
+++ b/files/auto/autopause-daemon.sh
@ -45,7 +45,11 @@ if isTrue "${DEBUG_AUTOPAUSE}"; then
  knockdArgs+=(-D)
 fi

-sudo /usr/local/sbin/knockd "${knockdArgs[@]}"
+if isTrue "${AUTOPAUSE_SUDO:-true}"; then
+  sudo /usr/local/sbin/knockd "${knockdArgs[@]}"
+else
+  /usr/local/sbin/knockd "${knockdArgs[@]}"
+fi
 if [ $? -ne 0 ] ; then
  logAutopause "Failed to start knockd daemon."
  logAutopause "Probable cause: Unable to attach to interface \"$AUTOPAUSE_KNOCK_INTERFACE\"."