BrandonS Posted July 11, 2017 Share Posted July 11, 2017 (edited) Currently the docker UI in unraid is quite complete but it is currently missing the ability to add "commands/args" to the end of the docker run command. There is a work around by putting this info in "Repository" field of the UI but this breaks the update functionality. So it would be great if this could be added to the UI as another field so everything works correctly. For more info you can look here Edited July 11, 2017 by BrandonS Quote Link to comment
brandur Posted July 12, 2017 Share Posted July 12, 2017 I might be wrong, but isn't that what the "Extra Parameters" is for(under "Advanced View" in the top right when editing docker settings)? Quote Link to comment
JonathanM Posted July 12, 2017 Share Posted July 12, 2017 13 minutes ago, brandur said: I might be wrong, but isn't that what the "Extra Parameters" is for(under "Advanced View" in the top right when editing docker settings)? You would think that, but it puts the parameters in the wrong order in the run command. 1 Quote Link to comment
Squid Posted July 12, 2017 Share Posted July 12, 2017 1 hour ago, jonathanm said: You would think that, but it puts the parameters in the wrong order in the run command. The extra parameters field is used for extra parameters to the docker RUN command, and places them before the repository. Any extra parameters to the container itself can't be used here and for the time being have to be added to the repository entry which then messes up checking for updates Quote Link to comment
BrandonS Posted September 26, 2017 Author Share Posted September 26, 2017 Who can I bribe to get this feature included in 6.4? Quote Link to comment
bonienl Posted September 26, 2017 Share Posted September 26, 2017 17 hours ago, BrandonS said: Who can I bribe to get this feature included in 6.4? No need to bribe anyone, it is already included in 6.4. 1 Quote Link to comment
BrandonS Posted September 26, 2017 Author Share Posted September 26, 2017 YES! This has been a pita for a while. Thanks for the info. Quote Link to comment
CHBMB Posted September 26, 2017 Share Posted September 26, 2017 24 minutes ago, bonienl said: No need to bribe anyone, it is already included in 6.4. Nice one @bonienl! I hadn't even noticed.... Quote Link to comment
nexusmaniac Posted June 26, 2018 Share Posted June 26, 2018 (edited) @bonienl How do we run more than one command at the end? I can't figure out the syntax for doing more than one thing ? I'm trying to do: /usr/sbin/netdata -D -u root -s /host -p 19999 & sleep 10; chown -R root:root /usr/share/netdata/web/ Edited June 26, 2018 by nexusmaniac Quote Link to comment
Jcloud Posted June 26, 2018 Share Posted June 26, 2018 58 minutes ago, nexusmaniac said: 'm trying to do: /usr/sbin/netdata -D -u root -s /host -p 19999 & sleep 10; chown -R root:root /usr/share/netdata/web/ Perhaps encapsulate it inside a file, for a shell script, and then call the script file? That's what I would try. myscript.sh #!/bin/bash -e /usr/sbin/netdata -D -u root -s /host -p 19999 sleep 10 chown -R root:root /usr/share/netdata/web/ change file mode for executable, and user permissions. Then call myscript.sh in the template. It wouldn't surprise me if this way is the ghetto way, and there are better ways. Just my two cents, for what it's worth. Quote Link to comment
nexusmaniac Posted June 26, 2018 Share Posted June 26, 2018 7 minutes ago, Jcloud said: Perhaps encapsulate it inside a file, for a shell script, and then call the script file? That's what I would try. myscript.sh #!/bin/bash -e /usr/sbin/netdata -D -u root -s /host -p 19999 sleep 10 chown -R root:root /usr/share/netdata/web/ change file mode for executable, and user permissions. Then call myscript.sh in the template. It wouldn't surprise me if this way is the ghetto way, and there are better ways. Just my two cents, for what it's worth. root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Netdata' --net='host' --privileged=true -e TZ="Europe/London" -e HOST_OS="unRAID" -v '/mnt/user/appdata/netdata/':'/etc/netdata':'rw' -v '/proc/':'/host/proc':'ro' -v '/sys/':'/host/sys':'ro' -v '/var/run/docker.sock':'/var/run/docker.sock':'ro' --cap-add SYS_PTRACE --log-opt max-size=50m --log-opt max-file=1 'firehol/netdata:alpine' /home/mnt/appdata/netdata.sh f723f711eba0535c487aa68fceac4cdfc4ba3e02277459fef5e4368e6aef06c9 /usr/bin/docker: Error response from daemon: oci runtime error: container_linux.go:265: starting container process caused "exec: "/home/mnt/appdata/netdata.sh": stat /home/mnt/appdata/netdata.sh: no such file or directory". The command failed. I just created that script and put it in /mnt/user/appdata/netdata.sh ? Can't run it in the "Post Arguments" field... Running one command in the "Post Arguments" field works fine though: Cheers for the reply! I'm probably just doing something wrong haha ? Quote Link to comment
Jcloud Posted June 26, 2018 Share Posted June 26, 2018 10 minutes ago, nexusmaniac said: /mnt/user/appdata/netdata.sh Perhaps the file hasn't been made executable? (hazard guess) chmod +x /mnt/user/appdata/netdata.sh Then try to add it to extra parameter as: ;/mnt/user/appdata/netdata.sh I know the above looks odd, but the thought of leading ";' is to terminate /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run..... Also, I'm a newb - so I'll ask for clarification, are is that shell script inside or outside the container you are running? 1 Quote Link to comment
nexusmaniac Posted June 26, 2018 Share Posted June 26, 2018 (edited) 24 minutes ago, Jcloud said: Perhaps the file hasn't been made executable? (hazard guess) chmod +x /mnt/user/appdata/netdata.sh Then try to add it to extra parameter as: ;/mnt/user/appdata/netdata.sh I know the above looks odd, but the thought of leading ";' is to terminate /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run..... Also, I'm a newb - so I'll ask for clarification, are is that shell script inside or outside the container you are running? I'd already made it executable ? Turns out you're right! Sticking a semi-colon ; in front of the script worked! ? I was also doing another investigation alongside this, I can also run: bash -c 'chown -R root:root /usr/share/netdata/web/ && /usr/sbin/netdata -D -u root -s /host -p 19999' With the same effect (turns out I didn't need the sleep after all, I was being overly cautious aha ------- The script was outside of the container In my regular appdata folder Edited June 26, 2018 by nexusmaniac 1 Quote Link to comment
bonienl Posted June 29, 2018 Share Posted June 29, 2018 On 6/26/2018 at 7:30 PM, nexusmaniac said: bonienl How do we run more than one command at the end? I can't figure out the syntax for doing more than one thing ? Running arbitrary commands/scripts in the extra parameters field poses a security threat. Chances are that this is prohibited in future releases. Just to let you know. Quote Link to comment
nexusmaniac Posted June 29, 2018 Share Posted June 29, 2018 16 minutes ago, bonienl said: Running arbitrary commands/scripts in the extra parameters field poses a security threat. Chances are that this is prohibited in future releases. Just to let you know. ? I very much hope not - there are many valid use cases for this... ? I've only recently discovered the feature - It's not like we're doing anything non-native to Docker? Docker supports additional args on the CLI. Restricting the unRAID Docker GUI is unnecessary IMO What security threat does it pose, out of curiosity Quote Link to comment
bonienl Posted June 29, 2018 Share Posted June 29, 2018 1 minute ago, nexusmaniac said: What security threat does it pose, out of curiosity A container author *may* hide malicious code in the extra or post fields. It can run without any relation to the container. Admitted, chances are low and any author doing this will be banned for life here! 1 Quote Link to comment
nexusmaniac Posted June 29, 2018 Share Posted June 29, 2018 Just now, bonienl said: A container author *may* hide malicious code in the extra or post fields. It can run without any relation to the container. Admitted, chances are low and any author doing this will be banned for life here! Perhaps don't allow authors to do this? But do allow users to manually intervene? Not sure if that's possible with your current template implementation But that's the first thought that pops into my head Quote Link to comment
bonienl Posted June 29, 2018 Share Posted June 29, 2018 1 minute ago, nexusmaniac said: Perhaps don't allow authors to do this? But do allow users to manually intervene? Not sure if that's possible with your current template implementation But that's the first thought that pops into my head Will certainly look into that option. 1 Quote Link to comment
Squid Posted June 29, 2018 Share Posted June 29, 2018 (edited) 5 hours ago, bonienl said: Admitted, chances are low Chances low or not, doesn't change the if it can happen, Murphy says that it will happen. There is a ton of code in CA sanitizing and looking for possible attacks and then automatically taking appropriate action. Thus far, no author has ever failed the tests. 5 hours ago, bonienl said: author doing this will be banned for life here! If an author / maintainer is willing to hide code in the template, then I think they wouldn't particularly care about the consequences. 5 hours ago, nexusmaniac said: Perhaps don't allow authors to do this? But do allow users to manually intervene? It currently does work like this on the extra parameters. Piping to a command via the post arguments has been removed during the 6.5 series. Sorry, but I do believe in security, and so long as it is possible for an attack vector to exist, my belief is that it should get closed. Trouble is that by far the absolute easiest method (and least bug free) way of removing these vectors is at the time the docker run/create command exists. If CA was a "official" plugin and the notion of repositories was removed from unRaid completely, then only CA would need to be patched, which would prevent any author from attacking your system. But, since repositories still exist and are the "official" method of installing a container, then it's my belief that unRaid itself also needs to be patched to prevent this (with the side effect that a user can't leverage the system to do what you want). My problem right now is that I just ran through a thought experiment, and there is a ton of ways that it is possible for a malicious / PO'd maintainer to be able to arbitrarily execute any command. I've got to think about where I do draw the line (if I draw a line at all), and convenience vs possible risks. If @bonienl chooses to change the method of how and where these patches are handled in dockerMan, then it is up to him (and for Limetech to even approve my patches in the first place) But, even there you're not particularly screwed. All you would have to do to avoid any of this is to set the containers to not autostart, and then via user scripts, manually issue the docker start command via the user scripts plugin. docker start nameOfContainer ; bashCommands Absolute worst case is that you would have to issue a the full docker run command as given by the template as a script. I think that in the grand picture of things, it is better to inconvenience one user (there are workarounds) than to risk an attack to all users. Edited June 29, 2018 by Squid 1 1 Quote Link to comment
Squid Posted July 22, 2018 Share Posted July 22, 2018 @nexusmaniac FYI, the next release of unRaid will not allow any docker run command issued through the GUI that contains any extra bash commands or redirects to execute. CA when running on the next release will also automatically blacklist any raw template from a maintainer that includes any attempt to do so. Your workaround is to manually start the containers as per the post above. Quote Link to comment
nexusmaniac Posted July 22, 2018 Share Posted July 22, 2018 1 minute ago, Squid said: @nexusmaniac FYI, the next release of unRaid will not allow any docker run command issued through the GUI that contains any extra bash commands or redirects to execute. CA when running on the next release will also automatically blacklist any raw template from a maintainer that includes any attempt to do so. Your workaround is to manually start the containers as per the post above. That's a shame But cheers for the heads up, appreciated! Dockers started / created on the CLI won't appear in the GUI, will they? And the only way I could automate something like a Docker run command on the CLI would be via Cron / User Scripts? Quote Link to comment
Squid Posted July 22, 2018 Share Posted July 22, 2018 Just now, nexusmaniac said: Dockers started / created on the CLI won't appear in the GUI, will they? It will. You add the app the same way. You just won't be able to have them autostart (or start at all) if you have the extra commands. If you absolutely require to run extra bash commands whenever the app starts, then you remove the extra commands from the template, and have user scripts run the docker start command and the extra commands you require. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.