GW_MC/YANPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add nix dependency and enhance socket permissions handling

Browse Source
This commit is contained in:
GW_MC
2025-12-21 19:32:48 +08:00
parent b823fe6281
commit 61ecd91219
6 changed files with 129 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
apps/agent/docker/s6/cont-init.d/10-create-app-user Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
set -eu
YANPM_AGENT_UID="${YANPM_AGENT_UID:-1000}"
YANPM_AGENT_GID="${YANPM_AGENT_GID:-1000}"
# If a specific socket GID is requested, prefer that for the app group
YANPM_AGENT_GID_EFFECTIVE="${YANPM_AGENT_SOCK_GID:-${YANPM_AGENT_GID}}"
YANPM_AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
YANPM_AGENT_GROUP="${YANPM_AGENT_GROUP:-yanpm-agent}"
# Ensure group exists with desired GID
if grep -qE "^${YANPM_AGENT_GROUP}:" /etc/group 2>/dev/null; then
existing_gid=$(awk -F: -v g="${YANPM_AGENT_GROUP}" '$1==g{print $3}' /etc/group)
if [ "${existing_gid}" != "${YANPM_AGENT_GID_EFFECTIVE}" ]; then
delgroup "${YANPM_AGENT_GROUP}" || true
addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
fi
else
addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
fi
# Ensure user exists with desired UID and primary group
if grep -qE "^${YANPM_AGENT_USER}:" /etc/passwd 2>/dev/null; then
existing_uid=$(awk -F: -v u="${YANPM_AGENT_USER}" '$1==u{print $3}' /etc/passwd)
if [ "${existing_uid}" != "${YANPM_AGENT_UID}" ]; then
deluser "${YANPM_AGENT_USER}" || true
adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
fi
else
adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
fi
# Add app user to nginx group to allow reading configs
addgroup "${YANPM_AGENT_USER}" nginx || true
# Ensure runtime directories exist and fix ownership
mkdir -p /var/run/yanpm /app
if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /var/run/yanpm 2>/dev/null; then
echo "chown: /var/run/yanpm -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
else
echo "Warning: failed to chown /var/run/yanpm to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. This is common for bind-mounted host volumes or rootless Docker." >&2
fi
if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app/yanpm-agent 2>/dev/null; then
echo "chown: /app/yanpm-agent -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
else
echo "Warning: failed to chown /app/yanpm-agent to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. Binary will still be used if permissions allow." >&2
fi
if chown "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app 2>/dev/null; then
echo "chown: /app -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
else
echo "Warning: failed to chown /app to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}." >&2
fi
echo "App user and group setup complete. UID:${YANPM_AGENT_UID} GID:${YANPM_AGENT_GID_EFFECTIVE}"
exit 0

4
apps/agent/docker/s6/services.d/agent/run
View File

@@ -1,5 +1,5 @@
#!/bin/sh
# Run the agent as the unprivileged 'app' user
# Run the agent as the unprivileged 'yanpm-agent' user
cd /app
echo "Starting yanpm-agent..."
exec s6-setuidgid app ./yanpm-agent
exec s6-setuidgid yanpm-agent ./yanpm-agent