-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathdocker-entrypoint.agent.sh
More file actions
111 lines (90 loc) · 3.7 KB
/
docker-entrypoint.agent.sh
File metadata and controls
111 lines (90 loc) · 3.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/sh
set -e
# =============================================================================
# usulnet Agent Docker Entrypoint
# Auto-detects Docker socket GID and drops privileges to usulnet user
# =============================================================================
USULNET_USER="usulnet"
# ---------------------------------------------------------------------------
# Auto-detect Docker socket path (unless DOCKER_SOCKET is already set)
# ---------------------------------------------------------------------------
detect_docker_socket() {
# 1. Standard path
if [ -S "/var/run/docker.sock" ]; then
echo "/var/run/docker.sock"; return
fi
# 2. XDG_RUNTIME_DIR (rootless Docker)
if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
echo "$XDG_RUNTIME_DIR/docker.sock"; return
fi
# 3. /run/user/<UID>/docker.sock (rootless Docker)
_uid=$(id -u)
if [ -S "/run/user/${_uid}/docker.sock" ]; then
echo "/run/user/${_uid}/docker.sock"; return
fi
# 4. docker context inspect (if docker CLI is available)
if command -v docker >/dev/null 2>&1; then
_ctx_host=$(docker context inspect 2>/dev/null \
| sed -n 's/.*"Host"[[:space:]]*:[[:space:]]*"unix:\/\/\(.*\)".*/\1/p' \
| head -n1)
if [ -n "$_ctx_host" ] && [ -S "$_ctx_host" ]; then
echo "$_ctx_host"; return
fi
fi
# 5. Fallback
echo "/var/run/docker.sock"
}
if [ -n "$DOCKER_SOCKET" ]; then
# Explicitly set by user — use as-is
:
elif [ -n "$DOCKER_HOST" ] && echo "$DOCKER_HOST" | grep -q '^unix://'; then
# Derive from standard DOCKER_HOST env var
DOCKER_SOCKET=$(echo "$DOCKER_HOST" | sed 's|^unix://||')
else
DOCKER_SOCKET=$(detect_docker_socket)
fi
export DOCKER_SOCKET
# If running as root, configure Docker socket access and drop to usulnet
if [ "$(id -u)" = "0" ]; then
# Auto-detect Docker socket GID and grant access
if [ -S "$DOCKER_SOCKET" ]; then
SOCK_GID=$(stat -c '%g' "$DOCKER_SOCKET")
EXISTING_GROUP=$(getent group "$SOCK_GID" | cut -d: -f1 || true)
if [ -z "$EXISTING_GROUP" ]; then
addgroup -g "$SOCK_GID" docker 2>/dev/null || true
EXISTING_GROUP="docker"
fi
addgroup "$USULNET_USER" "$EXISTING_GROUP" 2>/dev/null || true
echo "Docker socket GID=$SOCK_GID, added $USULNET_USER to group $EXISTING_GROUP"
else
echo "WARNING: Docker socket not found at $DOCKER_SOCKET"
echo " Searched: /var/run/docker.sock, \$XDG_RUNTIME_DIR/docker.sock, /run/user/<UID>/docker.sock, docker context"
echo " Set DOCKER_SOCKET or DOCKER_HOST to specify the path manually."
fi
# Ensure data directories are owned by usulnet
chown -R "$USULNET_USER:$USULNET_USER" /app/data 2>/dev/null || true
chown -R "$USULNET_USER:$USULNET_USER" /app/certs 2>/dev/null || true
# Write PID file for healthcheck
echo $$ > /app/data/agent.pid
# Auto-add --config flag if config file exists and no --config was passed
_has_config=false
for _arg in "$@"; do
[ "$_arg" = "--config" ] && _has_config=true
done
if [ -f /app/config/agent.yaml ] && [ "$_has_config" = "false" ]; then
set -- "$@" --config /app/config/agent.yaml
fi
# Drop privileges and exec the command
exec su-exec "$USULNET_USER" "$@"
fi
# Already running as non-root
echo $$ > /app/data/agent.pid
# Auto-add --config flag if config file exists and no --config was passed
_has_config=false
for _arg in "$@"; do
[ "$_arg" = "--config" ] && _has_config=true
done
if [ -f /app/config/agent.yaml ] && [ "$_has_config" = "false" ]; then
set -- "$@" --config /app/config/agent.yaml
fi
exec "$@"