Merge pull request #19 from linuxserver/non-root

add support for read-only and non-root

Author: aptalca

README.md

@@ -63,6 +63,14 @@ The web app and the server are both accessible at `http://SERVERIP:8088`.
 
 Note: It is recommended to use `http` as the external proto with a reverse proxy due to `https` not working with external plex clients.
 
+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -104,6 +112,8 @@ Containers are configured using parameters passed at runtime (such as those abov
 | :----: | --- |
 | `-p 8088:8088` | Web app and server port |
 | `-e AUTH_LIST=plexuser1,plexuser2,email1,machineid1` | If set, only the users defined here and the users of the plex servers defined here will be able to access the server. Use e-mails, plex usernames and/or plex server machine ids, comma separated, no spaces. |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -249,6 +259,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **19.12.24:** - Add support for read-only and non-root operation.
 * **05.12.24:** - Rebase to Alpine 3.21.
 * **04.06.24:** - Rebase to Alpine 3.20.
 * **26.08.23:** - Rebase to Alpine 3.19. Remove deprecated `AUTOJOIN_ENABLED` & `AUTOJOIN_ROOM` options.

readme-vars.yml

@@ -13,18 +13,15 @@ available_architectures:
 # container parameters
 common_param_env_vars_enabled: false
 param_container_name: "{{ project_name }}"
-param_usage_include_vols: false
-param_volumes:
 param_usage_include_ports: true
 param_ports:
   - {external_port: "8088", internal_port: "8088", port_desc: "Web app and server port"}
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
   - {env_var: "AUTH_LIST", env_value: "plexuser1,plexuser2,email1,machineid1", desc: "If set, only the users defined here and the users of the plex servers defined here will be able to access the server. Use e-mails, plex usernames and/or plex server machine ids, comma separated, no spaces."}
-# optional parameters
-optional_block_1: false
-optional_block_1_items: ""
+readonly_supported: true
+nonroot_supported: true
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -70,6 +67,7 @@ init_diagram: |
   "synclounge:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "19.12.24:", desc: "Add support for read-only and non-root operation."}
   - {date: "05.12.24:", desc: "Rebase to Alpine 3.21."}
   - {date: "04.06.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "26.08.23:", desc: "Rebase to Alpine 3.19. Remove deprecated `AUTOJOIN_ENABLED` & `AUTOJOIN_ROOM` options."}

root/etc/s6-overlay/s6-rc.d/svc-synclounge/run

@@ -6,6 +6,12 @@ if [ -n "${AUTH_LIST}" ]; then
     export authentication__authorized="[\"$(echo ${AUTH_LIST} | sed 's|,|", "|g')\"]"
 fi
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8088" \
-        s6-setuidgid abc synclounge
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8088" \
+            s6-setuidgid abc synclounge
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8088" \
+            synclounge
+fi