From bc54860ad6458a396cfe0cf8529e448f3608b66d Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Thu, 5 May 2022 11:48:35 +0800 Subject: [PATCH 1/3] Avoid using valid path for illustrative purpose Otherwise docker will really create this example path on host machine which is bad. --- dist/docker/Readme.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dist/docker/Readme.md b/dist/docker/Readme.md index d5d4b0d6d..5b856ff09 100644 --- a/dist/docker/Readme.md +++ b/dist/docker/Readme.md @@ -42,8 +42,8 @@ docker build \ -p "$QBT_WEBUI_PORT":"$QBT_WEBUI_PORT" \ -p 6881:6881/tcp \ -p 6881:6881/udp \ - -v /your_path/config:/config \ - -v /your_path/downloads:/downloads \ + -v /config:/config \ + -v /downloads:/downloads \ qbittorrent-nox:"$QBT_VERSION" ``` Then you can login at: `http://127.0.0.1:8080` @@ -67,5 +67,5 @@ docker build \ ### Volumes There are some paths involved: -* `/your_path/config` on your host machine will contain qBittorrent configurations -* `/your_path/downloads` on your host machine will contain the files downloaded by qBittorrent +* `/config` on your host machine will contain qBittorrent configurations +* `/downloads` on your host machine will contain the files downloaded by qBittorrent From 6778d36454b57648b8bba36e1c6962f79a74304b Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Thu, 5 May 2022 11:51:42 +0800 Subject: [PATCH 2/3] Make the container filesystem read-only It is not expected to modify the filesystem of the container. Mounted volumes (-v) are not affected. --- dist/docker/Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/dist/docker/Readme.md b/dist/docker/Readme.md index 5b856ff09..faedf359c 100644 --- a/dist/docker/Readme.md +++ b/dist/docker/Readme.md @@ -35,6 +35,7 @@ docker build \ QBT_WEBUI_PORT=8080 docker run \ -it \ + --read-only \ --rm \ --name qbittorrent-nox \ -e QBT_EULA \ From 0e456f33c10e9e5e716288fd9e0c0ac0691c8806 Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Thu, 5 May 2022 13:30:18 +0800 Subject: [PATCH 3/3] Run qbt-nox as non-root This is mainly to avoid downloaded files being owned by root which requires another one or two commands to change the file ownership. --- dist/docker/Dockerfile | 10 +++++++++- dist/docker/entrypoint.sh | 15 +++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/dist/docker/Dockerfile b/dist/docker/Dockerfile index 8bf8937f1..4b0bd4552 100644 --- a/dist/docker/Dockerfile +++ b/dist/docker/Dockerfile @@ -40,9 +40,17 @@ FROM alpine:latest RUN \ apk --no-cache add \ + doas \ libtorrent-rasterbar \ qt6-qtbase \ - tini + tini && \ + adduser \ + -D \ + -H \ + -s /sbin/nologin \ + -u 1000 \ + qbtUser && \ + echo "permit nopass :root" >> "/etc/doas.d/doas.conf" COPY --from=builder /usr/local/bin/qbittorrent-nox /usr/bin/qbittorrent-nox diff --git a/dist/docker/entrypoint.sh b/dist/docker/entrypoint.sh index 20f551217..c49f0b76c 100755 --- a/dist/docker/entrypoint.sh +++ b/dist/docker/entrypoint.sh @@ -1,5 +1,6 @@ #!/bin/sh +downloadsPath="/downloads" profilePath="/config" qbtConfigFile="$profilePath/qBittorrent/config/qBittorrent.conf" @@ -22,7 +23,13 @@ EOF fi fi -qbittorrent-nox \ - --profile="$profilePath" \ - --webui-port="$QBT_WEBUI_PORT" \ - "$@" +# those are owned by root by default +# don't change existing files owner in `$downloadsPath` +chown qbtUser:qbtUser "$downloadsPath" +chown qbtUser:qbtUser -R "$profilePath" + +doas -u qbtUser \ + qbittorrent-nox \ + --profile="$profilePath" \ + --webui-port="$QBT_WEBUI_PORT" \ + "$@"