mirrors/docker-netbootxyz
1
0
Fork 0
mirror of https://github.com/netbootxyz/docker-netbootxyz.git synced 2025-08-07 14:47:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
ca7a3390c2
docker-netbootxyz/root/usr/local/bin/dnsmasq-wrapper.sh
Antony Messerli ca7a3390c2
Implement rootless Docker container with enhanced security and preserved TFTP logging (#87) 
* Implement rootless Docker container with preserved TFTP logging

- Convert all processes to run as non-root user (nbxyz) for enhanced security
- Add customizable PUID/PGID environment variables for volume permission management
- Implement privilege dropping using gosu for secure initialization
- Optimize Dockerfile with multi-stage build and better caching
- Create dnsmasq wrapper script to ensure TFTP logs appear in docker logs
- Configure supervisord to properly forward dnsmasq output to container stdout
- Maintain full TFTP/PXE boot debugging functionality for users

Security improvements:
- All application processes (nginx, webapp, dnsmasq) run as nbxyz user
- Only supervisord initialization runs as root, then drops privileges
- Proper permission management for all service directories
- Configurable user/group IDs via PUID/PGID environment variables

Performance optimizations:
- Multi-stage Docker build reduces final image size
- Better layer caching for faster rebuilds
- Optimized package installation and cleanup

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update Dockerfile

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update root/init.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-06-12 00:19:27 -05:00

10 lines
531 B
Bash
Raw Blame History

#!/bin/bash
# Wrapper script for dnsmasq to ensure TFTP logs are visible in docker logs
echo "[dnsmasq] Starting TFTP server on port 69"
echo "[dnsmasq] TFTP root: /config/menus"
echo "[dnsmasq] TFTP security: enabled"
echo "[dnsmasq] Logging: enabled (dhcp and queries)"
# Start dnsmasq via gosu with logging to stderr (which supervisord can capture)
exec gosu nbxyz /usr/sbin/dnsmasq --port=0 --keep-in-foreground --enable-tftp --user=nbxyz --tftp-secure --tftp-root=/config/menus --log-facility=- --log-dhcp --log-queries "$@"
Reference in New Issue View Git Blame Copy Permalink