License: GNU General Public License v3.0
| Type | Address/Details |
|---|---|
| Discord | Discord |
| IRC | freenode at #linuxserver.io more information at:- IRC |
| Forum | LinuxServer.io forum |
A custom base image built with Ubuntu cloud image and S6 overlay..
The following line is only in this repo for loop testing:
Focal Fossa image doesn't ship with vi which is very handy for troubleshooting purposes. Please consider adding it.
Container can start with /config mounted to NFS with permissions restricted to a certain user: root_squash
chown -R 0:0 /config/{custom-cont-init.d,custom-services.d} fails due to lack of permissions
root_squash and map NFS root user to 1001:1000 user/group (matches abc:abc)ghcr.io/linuxserver/qbittorrent:latestOS: k3os
CPU architecture: x86_64
How docker service was installed: containerd
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1001
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 90-custom-folders: executing...
chown: changing ownership of '/config/custom-cont-init.d': Operation not permitted
chown: changing ownership of '/config/custom-services.d': Operation not permitted
[cont-init.d] 90-custom-folders: exited 1.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Use DOCKER_MODS in a high security environment.
When using DOCKER_MODS with a container I can do either <imagename>-<modname> or <imagename>-<modname>-<commitsha>. With the former, it is obvious that I'm trusting that whoever has write access to the docker image repository can backdoor my system. With the latter, this is still true but it is less obvious.
An attacker could delete the image at <imagename>-<modname>-<commitsha> and replace it with another image not build from that commit.
This is unfortunate and I would like to be able to use DOCKER_MODS in a high security environment.
What could be done is to supply a Merkle-Patricia trie (MPT) proof and then have the base image then do a proof validation. The proof would allow the base image to trustlessly verify that the file that was downloaded from ghcr.io was in fact part of the file tree for the commit hash provided. This would mean that if I used a base image with a Docker sha256:1234abcd... and I used a DOCKER_MODS with <imagename>-<modname>-<commitsha> there would be no way for an attacker, even one in full control of ghcr.io, to compromise my server during deployment/boot.
Tag the images by Dockerfile hash and verify the hash of the downloaded Dockerfile layer. I don't actually know how to do this or how hard it would be, but maybe it is easier?
While switching mono and radarr to https I noticed the base lsiobase/xenial-root-x86 has only http:// base repositories. Is this something that could be fixed?
This also would remove the need to install apt-https-transport on each subsequent image using a https repository since at is installed in the root image.
Couldn't find a repo for the root image therefore the issue here :)
See discussion first on your discourse:
https://discourse.linuxserver.io/t/abc-user-member-of-several-groups-ids-in-the-container/2024/3
What I finally need is to have the abc-user member of several groups (IDs) in the container.
For example PGID=1001;1002;1003
The first one 1001 would be used as GID, but the others 1002 1003 would then be extra groups the abc-user is member of.
By this I can decide in detail what the user abc has rights to…
Or have an extra variable besides PGID by which I can define the extra group memberships of the abc-user.
I think the file in question that actually does the work is:
https://github.com/linuxserver/docker-baseimage-ubuntu/blob/bionic/root/etc/cont-init.d/10-adduser
I was asked to continue the discussion here...
/T
When a container does a copy/mv on an NFS mount from a server running NFS 4.2, server-side copy should be used.
Using the sonarr container (for example) with an nfs mount, when it copies files (often several GB in size), it copies them into memory on the client and then writes them back to the nfs storage. NFS 4.2 supports server-side copy, in which the nfs server does the entire copy locally. This is much faster.
Current coreutils in the container baseimage is 8.3, which does not support this NFS 4.2 feature:
# cp --version
cp (GNU coreutils) 8.30
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Also see: coreutils/coreutils@4b04a0c
I guess I could use some other container with a base that has a newer coreutils, but I like the linuxserver.io containers :)
I've tried to rebuild some linuxserver.io docker image from my synology and they all hang at the end of the first RUN instruction.
I suspect an issue with s6-overlay but I do not know how to trouble shoot.
I have no error message, process remains alive even if not using CPU and it last for ever.
When I try to get into the current building container I get:
rpc error: code = 2 desc = containerd: container not found
While when I do docker ps I still see it as running:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e516c8fa1c75 fe9ae0f2be26 "/bin/sh -c 'echo ..." 31 minutes ago Up 31 minutes dreamy_fermat
And once I kill the ongoing building process, docker ps still show me the same zombi container.
In DockerHub, the image arm32v7-jammy is wrongly tagged to architecture linux/amd64.
When buiklding a container using: BASE_IMAGE: lsiobase/ubuntu:arm32v7-jammy
I get the error: ERROR [MyImge] load metadata for docker.io/lsiobase/ubuntu:arm32v7-jammy
The same issue exists with arm32v7-focal.
Specific version are tagged correctly.
This image should be tagged to linux/arm/v7
Build docker container using
BASE_IMAGE: lsiobase/ubuntu:arm32v7-jammy
- OS: Ubuntu 22.04
- How docker service was installed: docker-ceMyDocker:
image: myregistry.domain.com/my/MyDocker
build:
context: ./MyDocker
dockerfile: Dockerfile
args:
BASE_IMAGE: lsiobase/ubuntu:arm32v7-jammyERROR [MyImge] load metadata for docker.io/lsiobase/ubuntu:arm32v7-jammy
Since recent update (https://info.linuxserver.io/issues/2022-08-29-custom-files/) and the new locations for custom scripts and servives, custom services seems broken in baseimage-ubuntu (custom scripts are working fine).
Services in /custom-services.d should be running (cf https://www.linuxserver.io/blog/2019-09-14-customizing-our-containers)
Services scripts copied but services not running in container
Test with the exemple at https://www.linuxserver.io/blog/2019-09-14-customizing-our-containers, ie try to start a simple cron service
#!/usr/bin/with-contenv bash
/usr/sbin/cron
(I installed cron with a custom script in /custom-cont-init.d)
**OS: ** fedora 36
CPU architecture: x86_64
How docker service was installed: official docker repo
test:
image: lscr.io/linuxserver/code-server:latest
container_name: test
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
volumes:
- ./config_toto:/config
- ./data/custom-cont-init.d/:/custom-cont-init.d/:ro
- ./data/custom-services.d:/custom-services.d:ro
ports:
- 8443:8443
restart: unless-stopped
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service 00-legacy: starting
s6-rc: info: service 00-legacy successfully started
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/01-envfile
cont-init: info: /etc/cont-init.d/01-envfile exited 0
cont-init: info: running /etc/cont-init.d/01-migrations
[migrations] started
[migrations] no migrations found
cont-init: info: /etc/cont-init.d/01-migrations exited 0
cont-init: info: running /etc/cont-init.d/02-tamper-check
cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
cont-init: info: running /etc/cont-init.d/10-adduser
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 40106
User gid: 201
-------------------------------------
cont-init: info: /etc/cont-init.d/10-adduser exited 0
cont-init: info: running /etc/cont-init.d/30-config
setting up sudo access
adding abc to sudoers
setting sudo password using SUDO_PASSWORD env var
New password: Retype new password: passwd: password updated successfully
setting permissions::configuration
setting permissions::workspace
cont-init: info: /etc/cont-init.d/30-config exited 0
cont-init: info: running /etc/cont-init.d/90-custom-folders
cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
cont-init: info: running /etc/cont-init.d/99-custom-scripts
[custom-init] service files found in /custom-services.d
[custom-init] cron: service detected, copying...
touch: cannot touch '/etc/s6-overlay/s6-rc.d/custom-svc-cron/dependencies.d/init-services': No such file or directory
[custom-init] cron: copied
[custom-init] files found, executing
[custom-init] test.sh: executing...
Anything relevant after that
linuxserver/docker-emby and I assume others like docker-jellyfin would benefit from access to hw accelerated video encoding and decoding. For Intel and nvidia the needed drivers are provided.
For AMD they can easily be installed with apt-get install mesa-va-drivers
To actually use it this ENV must be updated.
export LIBVA_DRIVERS_PATH=/usr/lib/x86_64-linux-gnu/dri:${LIBVA_DRIVERS_PATH}
root@docker:/# vainfo
error: XDG_RUNTIME_DIR not set in the environment.
error: can't connect to X server!
libva info: VA-API version 1.1.0
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/radeonsi_drv_video.so
libva info: Found init function __vaDriverInit_1_1
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.1 (libva 2.1.0)
vainfo: Driver version: Mesa Gallium driver 19.2.8 for AMD RAVEN (DRM 3.36.0, 5.6.0-0.bpo.2-amd64, LLVM 9.0.0)
vainfo: Supported profile and entrypoints
VAProfileMPEG2Simple : VAEntrypointVLD
VAProfileMPEG2Main : VAEntrypointVLD
VAProfileVC1Simple : VAEntrypointVLD
VAProfileVC1Main : VAEntrypointVLD
VAProfileVC1Advanced : VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointEncSlice
VAProfileH264Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointEncSlice
VAProfileH264High : VAEntrypointVLD
VAProfileH264High : VAEntrypointEncSlice
VAProfileHEVCMain : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointEncSlice
VAProfileHEVCMain10 : VAEntrypointVLD
VAProfileJPEGBaseline : VAEntrypointVLD
VAProfileVP9Profile0 : VAEntrypointVLD
VAProfileVP9Profile2 : VAEntrypointVLD
VAProfileNone : VAEntrypointVideoProc```
## Current Behavior
The drivers to use vaapi on AMD hardware is not installed, thus trying to use such functionality fails
## Steps to Reproduce
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
<!--- reproduce this bug. Include code to reproduce, if relevant -->
1. `apt-get update && apt-get -y install vainfo`
2. ```
root@docker:/# vainfo
error: XDG_RUNTIME_DIR not set in the environment.
error: can't connect to X server!
libva info: VA-API version 1.1.0
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/radeonsi_drv_video.so
libva info: Trying to open /usr/lib64/dri/radeonsi_drv_video.so
libva info: Trying to open /usr/lib/dri/radeonsi_drv_video.so
libva info: va_openDriver() returns -1
vaInitialize failed with error code -1 (unknown libva error),exit```
## Environment
**OS:** Debian 10 / Openmediavault
**CPU architecture:** x86_64
**How docker service was installed:**
Docker was installed from the Openmediavault web interface.
## Command used to create docker container (run/create/compose/screenshot)
`docker run -d --device=/dev/dri:/dev/dri -v /srv/dev-disk-by-label-appdata/AppData/Emby:/config -v /srv/dev-disk-by-label-media/media:/data/media -v /srv/dev-disk-by-label-transcode/transcode:/transcode --network=host --name emby linuxserver/emby:latest`
No response
n/a
- OS:
- How docker service was installed:n/an/a
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.