Make subsonic run as non-root. And transcode stuff

stuckj · Jan 26, 2021 · ab58563 · ab58563
1 parent 0350919
commit ab58563
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,21 +10,20 @@ RUN apt update \
   && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p /opt/subsonic \
-  && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 \
-  && mkdir -p /var/subsonic/transcode \
-  && cd /var/subsonic/transcode \
-  && ln -s "$(which ffmpeg)" \
-  && ln -s "$(which lame)"
+  && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 
 RUN wget --no-check-certificate https://s3-eu-west-1.amazonaws.com/subsonic-public/download/subsonic-6.1.6-standalone.tar.gz \
   && tar xvzf subsonic-6.1.6-standalone.tar.gz -C /opt/subsonic \
   && rm -rf subsonic-6.1.6-standalone.tar.gz
 
-COPY mikmod_stdout /var/subsonic/transcode
-COPY timidity_stdout /var/subsonic/transcode
+COPY mikmod_stdout /opt/subsonic
+COPY timidity_stdout /opt/subsonic
 
 COPY entrypoint.sh /opt/subsonic/entrypoint.sh
 
+RUN groupadd --system --gid 1000 subsonic \
+  && useradd --system --home-dir /var/subsonic --shell /bin/bash --gid 1000 --uid 1000 subsonic
+
 WORKDIR /opt/subsonic
 
 VOLUME [ "/var/music", "/var/playlists", "/var/subsonic" ]

diff --git a/README.md b/README.md
@@ -43,6 +43,17 @@ The container will use volumes for for the following directories within the cont
 | /var/playlists | Path where subsonic will look for (and store) playlists (by default). |
 | /var/subsonic  | Path where subsonic stores any state and configuration.               |
 
+## Permissions
+
+Subsonic will be run by a service user inside the container (subsonic) with UID=1000 and GID=1000. The
+UID / GID are not currently customizable without modifying the Dockerfile. The permissions will be set
+on any directory / volume you map onto `/var/subsonic` so that it is owned by subsonic:subsonic. If you
+are transferring a subsonic installation to this container make sure to change ownership of everything
+under `/var/subsonic` to subsonic:subsonic. You can do this with this command: `chmod -R subsonic:subsonic DIR`
+where `DIR` is the directory you are mapping to `/var/subsonic`.
+
+The permissions on any music, playlist, etc must be at least readable by subsonic:subsonic.
+
 ## Docker run
 
 Here is an example `docker run` command that you can use to run the container:
@@ -93,6 +104,4 @@ services:
 
 ## TODOs
 
-TODO: Change user to non-root!!!
-
 TODO: Setup auto-detection of new versions in Dockerfile (will need to scrape page).
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e
+
 # This is a replacement for subsonic.sh that comes with subsonic as it is not docker friendly
 # This will properly NOT daemonize the java process and will log to stdout / stderr.
 
@@ -18,12 +20,32 @@ SUBSONIC_DEFAULT_PLAYLIST_FOLDER=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER:-/var/playli
 
 # Use JAVA_HOME if set, otherwise assume java is in the path.
 JAVA=java
-if [ -e "${JAVA_HOME}" ]
-    then
+if [ -e "${JAVA_HOME}" ]; then
     JAVA=${JAVA_HOME}/bin/java
 fi
 
-exec ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
+# Make sure all transcoding executables are in /var/subsonic/transcode (subsonic requires this)
+if [ ! -d /var/subsonic/transcode ]; then
+    mkdir -p /var/subsonic/transcode
+    chown subsonic:subsonic /var/subsonic/transcode
+fi
+if [ ! -e /var/subsonic/transcode/ffmpg ]; then
+    ln -sf "$(which ffmpeg)" /var/subsonic/transcode/ffmpeg
+fi
+if [ ! -e /var/subsonic/transcode/lame ]; then
+    ln -sf "$(which lame)" /var/subsonic/transcode/lame
+fi
+if [ ! -f /var/subsonic/transcode/mikmod_stdout ]; then
+    cp /opt/subsonic/mikmod_stdout /var/subsonic/transcode
+fi
+if [ ! -f /var/subsonic/transcode/timidity_stdout ]; then
+    cp /opt/subsonic/timidity_stdout /var/subsonic/transcode
+fi
+
+# Make sure permissions are correct on /var/subsonic
+chown subsonic:subsonic /var/subsonic
+
+exec /bin/su -c "${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
   -Dsubsonic.home=${SUBSONIC_HOME} \
   -Dsubsonic.host=${SUBSONIC_HOST} \
   -Dsubsonic.port=${SUBSONIC_PORT} \
@@ -35,4 +57,4 @@ exec ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
   -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
   -Djava.awt.headless=true \
   -verbose:gc \
-  -jar subsonic-booter-jar-with-dependencies.jar
+  -jar subsonic-booter-jar-with-dependencies.jar" subsonic