Address review feedback:
- Move Secure Boot download to its own conditional block that checks
for the secureboot-x86_64 directory, so existing installs pick up
Secure Boot binaries on the next container restart
- Resolve MENU_VERSION once at the top (from env, menuversion.txt,
or GitHub API) so it's available to both blocks
- Use curl -fsSL for autoexec.ipxe download to fail on HTTP errors
instead of silently saving HTML error pages
- Update README note to reflect that Secure Boot downloads run
independently of menu downloads
Address review feedback:
- Wrap tar extraction in error check so cp loops are skipped on failure
- Add per-file existence checks with warnings if iPXE archive layout changes
- Use nullglob for secureboot-* glob to avoid iterating literal pattern
Pull signed EFI binaries unmodified from the iPXE project release
(ipxeboot.tar.gz) and the autoexec.ipxe boot script from the
netboot.xyz release. This preserves provenance of the Microsoft-signed
and iPXE Secure Boot CA-signed binaries rather than redistributing
them through netboot.xyz.
The iPXE Secure Boot version defaults to v2.0.0 and can be overridden
via the IPXE_SB_VERSION environment variable.
Documents the upstream source and version for both the signed binaries
and the boot script in init.sh comments and README.
Download Secure Boot tarballs (secureboot-x86_64.tar.gz,
secureboot-arm64.tar.gz) from netboot.xyz releases during container
init. These contain Microsoft-signed iPXE shim binaries and a
templated autoexec.ipxe that chains into the netboot.xyz menu system.
Files are extracted into /config/menus/secureboot-{x86_64,arm64}/
and served via TFTP alongside existing boot files. Gracefully skips
download if the release doesn't include Secure Boot assets (e.g.
older pinned MENU_VERSION).
Also adds Secure Boot DHCP configuration examples and boot file
documentation to the README.
The nginx service was failing to start due to permission denied errors
when trying to access /var/lib/nginx/logs/error.log. This directory is
a symlink to /var/log/nginx which was owned by the nginx user instead
of the nbxyz user that runs the service.
Added proper ownership setup for /var/log/nginx directory to ensure
nginx can write logs when running as the nbxyz user.
* Implement rootless Docker container with preserved TFTP logging
- Convert all processes to run as non-root user (nbxyz) for enhanced security
- Add customizable PUID/PGID environment variables for volume permission management
- Implement privilege dropping using gosu for secure initialization
- Optimize Dockerfile with multi-stage build and better caching
- Create dnsmasq wrapper script to ensure TFTP logs appear in docker logs
- Configure supervisord to properly forward dnsmasq output to container stdout
- Maintain full TFTP/PXE boot debugging functionality for users
Security improvements:
- All application processes (nginx, webapp, dnsmasq) run as nbxyz user
- Only supervisord initialization runs as root, then drops privileges
- Proper permission management for all service directories
- Configurable user/group IDs via PUID/PGID environment variables
Performance optimizations:
- Multi-stage Docker build reduces final image size
- Better layer caching for faster rebuilds
- Optimized package installation and cleanup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update Dockerfile
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update root/init.sh
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
