tag alpine image as latest

Dockerfile

@@ -1,23 +1,28 @@
 FROM alpine:latest
 
+ARG DEBUG
+ENV DEBUG=${DEBUG}
+
 VOLUME /exports
 WORKDIR /root
 RUN mkdir -p /run/openrc
 RUN touch /run/openrc/softlevel
 RUN apk add --no-cache --update openrc 
-RUN apk add --no-cache --update --verbose alpine-conf tzdata bash krb5-server nfs-utils iproute2 krb5-server-openrc procps krb5 syslog-ng chrony
+RUN apk add --no-cache --update --verbose tzdata bash krb5-server nfs-utils krb5-server-openrc krb5 syslog-ng chrony
-
-
 
+RUN if [ -n "${DEBUG}" ]; then \
+apk add --no-cache --update iproute2 procps; \
+fi
 
 RUN rc-update add syslog-ng boot
 RUN rc-update add krb5kdc default
 RUN rc-update add krb5kadmind default
 RUN rc-update add nfs default
 
+COPY  ./common.sh .
 COPY ./entrypoint.sh .
 COPY ./init.sh .
-RUN chmod +x ./entrypoint.sh && chmod +x ./init.sh 
+RUN chmod +x ./entrypoint.sh && chmod +x ./init.sh && chmod +x ./common.sh 
 
 RUN ls
 

Dockerfile.ubuntu

@@ -1,14 +1,21 @@
 FROM ubuntu:latest
 
+ARG DEBUG
 ENV DEBIAN_FRONTEND=noninteractive
+ENV DEBUG=${DEBUG}
 
 WORKDIR /root
 RUN apt-get update
-RUN apt-get install -y nfs-kernel-server krb5-kdc krb5-admin-server nfs-common bash iproute2 iputils-ping net-tools
+RUN apt-get install -y nfs-kernel-server krb5-kdc krb5-admin-server nfs-common bash
 
+RUN if [ -n "${DEBUG}" ]; then \
+apt-get install iproute2 iputils-ping net-tools; \
+fi
+
+COPY ./common.sh .
 COPY ./entrypoint-ubuntu.sh .
 COPY ./init.sh .
-RUN chmod +x ./entrypoint-ubuntu.sh && chmod +x ./init.sh 
+RUN chmod +x ./entrypoint-ubuntu.sh && chmod +x ./init.sh && chmod +x ./common.sh 
 
 RUN ls
 

README.md

@@ -0,0 +1,45 @@
+# thealmightydrawingtablet/nfs-krb
+
+it's an NFS server with kerberos integrated out of the box !
+
+## why?
+
+because nobody else has made one for some reason ¯\\\_(ツ)\_/¯
+
+# usage
+
+### sharing directory via env var
+
+```bash
+# works for both ubuntu and alpine images
+docker run -d --privileged -v /path/on/host:/container/srv \
+	-e SHARED_DIRECTORY=/container/srv -e PERMITTED=10.0.0.0/8 \
+	-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
+```
+
+### bring your own `/etc/exports`
+
+```bash
+# ubuntu
+docker run -d --privileged -v /path/on/host:/container/srv -v ./exports:/etc/exports \
+	-e PERMITTED=10.0.0.0/8 \
+	-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
+
+# alpine
+docker run -d --privileged -v /path/on/host:/container/srv/folder-1 -v /another/thing:/container/srv/folder-2 -v ./exports:/etc/exports.mnt \
+	-e PERMITTED=10.0.0.0/8 \
+	-e NFS_KRB_PRINC=nfs/localhost.local -e NFS_KRB_REALM=LOCALHOST.LOCAL -e NFS_KRB_PWD='unguessable!'
+```
+
+## recognized configuration environment variables
+
+| Variable           | Default            | Required | Alpine | Ubuntu | Description                                                                     |
+| ------------------ | ------------------ | -------- | ------ | ------ | ------------------------------------------------------------------------------- |
+| `NFS_KRB_REALM`    | -                  | yes      | ✅     | ✅     | Kerberos realm to authenticate with.                                            |
+| `NFS_KRB_PRINC`    | -                  | yes      | ✅     | ✅     | the service principal which will be added to the keytab.                        |
+| `NFS_KRB_PWD`      | -                  | yes      | ✅     | ✅     | kerberos database master password, as well as the password for `NFS_KRB_PRINC`. |
+| `RW_MODE`          | `rw`               | no       | ✅     | ✅     | controls NFS export read/write mode and the per-share option string.            |
+| `SRV_TZ`           | `America/New_York` | no       | ✅     | ❌     | overrides the system timezone.                                                  |
+| `SHARED_DIRECTORY` | -                  | no       | ✅     | ✅     | determines whether to configure a singular export.                              |
+| `PERMITTED`        | `*`                | no       | ✅     | ✅     | provides the allowed client list for a single exported directory.               |
+

build.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 
 IMAGE=${IMAGE:-"thealmightydrawingtablet/nfs-krb"}
-VERSION=$(git for-each-ref refs/tags --sort=-taggerdate --format='%(refname:short)' --count=1)
+VERSION=$(git tag --sort=-committerdate | grep -vi debug | head -n 1)
 
-docker build --progress=plain -t "${IMAGE}:alpine" -t "${IMAGE}:${VERSION}-alpine" .
 docker build --progress=plain -t "${IMAGE}:ubuntu" -t "${IMAGE}:${VERSION}-ubuntu" -f ./Dockerfile.ubuntu .
+docker build --progress=plain -t "${IMAGE}:alpine" -t "${IMAGE}:${VERSION}-alpine" -t "${IMAGE}:latest" .
+
+if [ "$1" == "push" ]; then
+	docker push --all-tags "${IMAGE}"
+fi

common.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+cat > /etc/krb5.conf << EOL
+[logging]
+    default = SYSLOG:DEBUG
+    kdc = SYSLOG:DEBUG 
+    admin_server = SYSLOG:DEBUG 
+
+[libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    default_realm = ${NFS_KRB_REALM}
+
+[realms]
+    ${NFS_KRB_REALM} = {
+        kdc = localhost 
+        admin_server = localhost
+    }
+EOL
+
+cat > /etc/idmapd.conf << EOC
+[General]
+Domain = ${NFS_KRB_REALM}
+Verbosity = 5
+EOC
+
+cat > /etc/nfs.conf << EOC
+[general]
+pipefs-directory=/run/rpc_pipefs
+
+[exports]
+
+[exportfs]
+debug=1
+
+[gssd]
+verbosity=5
+rpc-verbosity=5
+keytab-file=/etc/krb5.keytab
+
+[exportd]
+debug="all"
+
+[mountd]
+debug="all"
+manage-gids=y
+port=892
+
+[nfsdcld]
+debug=1
+
+[nfsdcltrack]
+debug=1
+
+[nfsd]
+debug=1
+# threads=8
+# host=
+# grace-time=90
+# lease-time=90
+udp=y
+tcp=y
+vers3=y
+vers4=y
+vers4.0=y
+vers4.1=y
+vers4.2=y
+EOC
+
+touch /var/lib/krb5kdc/kadm5.acl
+
+kdb5_util -r "${NFS_KRB_REALM}" create -s << EOL
+${NFS_KRB_PWD}
+${NFS_KRB_PWD}
+EOL
+
+DOMAIN=$(echo "$NFS_KRB_REALM" | tr '[:upper:]' '[:lower:]')
+echo "${DOMAIN}" > /etc/hostname
+
+# setup logging
+
+rpcdebug -m nfsd -s all
+rpcdebug -m nfs -s all
+rpcdebug -m rpc -s all
+
+kadmin.local << EOS
+addprinc ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
+${NFS_KRB_PWD}
+${NFS_KRB_PWD}
+ktadd -norandkey ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
+EOS

entrypoint-ubuntu.sh

@@ -35,73 +35,12 @@ EOE
 	chmod 777 "${SHARED_DIRECTORY}"
 fi
 
-cat > /etc/krb5.conf << EOL
-[logging]
-    default = SYSLOG:DEBUG
-    kdc = SYSLOG:DEBUG 
-    admin_server = SYSLOG:DEBUG 
-
-[libdefaults]
-    dns_lookup_realm = false
-    ticket_lifetime = 24h
-    renew_lifetime = 7d
-    forwardable = true
-    rdns = false
-    default_realm = ${NFS_KRB_REALM}
-
-[realms]
-    ${NFS_KRB_REALM} = {
-        kdc = localhost 
-        admin_server = localhost
-    }
-EOL
 cat > /etc/idmapd.conf << EOC
 [General]
 Domain = $DOMAIN
 Verbosity = 5
 EOC
 
-cat > /etc/nfs.conf << EOC
-[general]
-pipefs-directory=/run/rpc_pipefs
-
-[exportfs]
-debug=1
-
-[gssd]
-verbosity=5
-rpc-verbosity=5
-keytab-file=/etc/krb5.keytab
-
-[exportd]
-debug="all"
-
-[mountd]
-debug="all"
-manage-gids=y
-port=892
-
-[nfsdcld]
-debug=1
-
-[nfsdcltrack]
-debug=1
-
-[nfsd]
-debug=1
-# threads=8
-# host=
-# grace-time=90
-# lease-time=90
-udp=y
-tcp=y
-vers3=y
-vers4=y
-vers4.0=y
-vers4.1=y
-vers4.2=y
-EOC
-
 cat > /etc/default/nfs-common << EOC
 NEED_STATD=y
 
@@ -114,32 +53,10 @@ EOC
 
 echo NEED_SVCGSSD=y > /etc/default/nfs-kernel-server
 
-
+./common.sh
-touch /var/lib/krb5kdc/kadm5.acl
 
 exportfs -rvaf
 
-
-kdb5_util -r "${NFS_KRB_REALM}" create -s << EOL
-${NFS_KRB_PWD}
-${NFS_KRB_PWD}
-EOL
-
-echo "${DOMAIN}" > /etc/hostname
-
-# setup logging
-
-syslogd 
-rpcdebug -m nfsd -s all
-rpcdebug -m nfs -s all
-rpcdebug -m rpc -s all
-kadmin.local << EOS
-addprinc ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
-${NFS_KRB_PWD}
-${NFS_KRB_PWD}
-ktadd -norandkey ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
-EOS
-
 export OPTS_RPC_MOUNTD='--debug all -t 8 -N 3'
 echo "OPTS_RPC_MOUNTD=\"${OPTS_RPC_MOUNTD}\"" >> /etc/conf.d/nfs
 service nfs restart

entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-set -xuo pipefail
+set -xo pipefail
 trap "stop; exit 0;" SIGTERM SIGINT
 
 stop()
@@ -13,13 +13,15 @@ stop()
 	exit
 }
 
-DEFALUT_TIMEZONE="America/New York"
+DEFALUT_TIMEZONE="America/New_York"
 DEFAULT_PERMITTED="*"
 RW_MODE="rw"
 UID=${NFS_UID:-0}
 
+apk add --no-cache --update alpine-conf
 setup-timezone -z "${SRV_TZ:-${DEFALUT_TIMEZONE}}"
 apk del alpine-conf
+
 cat > /etc/chrony/chrony.conf << 'EOF'
 	pool 0.pool.ntp.org iburst
 	pool 1.pool.ntp.org iburst
@@ -37,104 +39,32 @@ if [ -n "${SHARED_DIRECTORY}" ]; then
 EOE
 
 	chmod 777 "${SHARED_DIRECTORY}"
+else
+	cp /etc/exports.mnt /etc/exports
+	grep -vi "^[[:space:]]*#" /etc/exports | while read -r line; do
+			if [ -n "${line}" ]; then
+				trimmed="${line##*([[:space:]])}"
+				# shellcheck disable=SC2001
+				rcdir="$(eval "declare -a str=($( echo "$trimmed" | sed 's/[][`~!@#$%^&*():;<>.,?|{}=+-]/\\&/g' )); echo \${str[0]}")"
+				cdir="${rcdir##*(\")}"
+				echo "${cdir}"
+				mkdir -p "/exports${cdir}"
+				mount --bind -o rw "${cdir}" "/exports${cdir}"
+				chmod 777 "/exports${cdir}"
+			fi
+	done
+	sed -i -r '/^[[:space:]]*#/!s/^("?)/\1\/exports/' /etc/exports
+	# root entry
+	echo -e "\n/exports *(rw,no_root_squash,insecure,no_subtree_check,nohide,fsid=0,sync,sec=krb5p:krb5i:krb5)" >> /etc/exports
 fi
 
-cat > /etc/krb5.conf << EOL
+# setup logging
-[logging]
+syslogd 
-    default = FILE:/var/log/krb5libs.log:DEBUG
-    kdc = FILE:/var/log/krb5kdc.log:DEBUG
-    admin_server = FILE:/var/log/kadmind.log:DEBUG
 
-[libdefaults]
+./common.sh
-    dns_lookup_realm = false
-    ticket_lifetime = 24h
-    renew_lifetime = 7d
-    forwardable = true
-    rdns = false
-    default_realm = ${NFS_KRB_REALM}
-
-[realms]
-    ${NFS_KRB_REALM} = {
-        kdc = localhost 
-        admin_server = localhost
-    }
-EOL
-
-cat > /etc/idmapd.conf << EOC
-[General]
-Domain = ${NFS_KRB_REALM}
-Verbosity = 5
-EOC
-
-cat > /etc/nfs.conf << EOC
-[general]
-pipefs-directory=/run/rpc_pipefs
-
-[exports]
-
-[exportfs]
-debug=1
-
-[gssd]
-verbosity=5
-rpc-verbosity=5
-keytab-file=/etc/krb5.keytab
-
-[exportd]
-debug="all"
-
-[mountd]
-debug="all"
-manage-gids=y
-port=892
-
-[nfsdcld]
-debug=1
-
-[nfsdcltrack]
-debug=1
-
-[nfsd]
-debug=1
-# threads=8
-# host=
-# grace-time=90
-# lease-time=90
-udp=y
-tcp=y
-vers3=y
-vers4=y
-vers4.0=y
-vers4.1=y
-vers4.2=y
-EOC
-
-touch /var/lib/krb5kdc/kadm5.acl
 
 exportfs -rvaf
 
-
-kdb5_util -r "${NFS_KRB_REALM}" create -s << EOL
-${NFS_KRB_PWD}
-${NFS_KRB_PWD}
-
-EOL
-
-echo "${NFS_KRB_REALM}" > /etc/hostname
-
-# setup logging
-
-syslogd 
-rpcdebug -m nfsd -s all
-rpcdebug -m nfs -s all
-rpcdebug -m rpc -s all
-kadmin.local << EOS
-addprinc ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
-${NFS_KRB_PWD}
-${NFS_KRB_PWD}
-ktadd -norandkey ${NFS_KRB_PRINC}@${NFS_KRB_REALM}
-EOS
-
 export OPTS_RPC_MOUNTD='--debug all -t 8 -N 3'
 cat >> /etc/conf.d/nfs <<EOC
 OPTS_RPC_MOUNTD="${OPTS_RPC_MOUNTD}"
@@ -146,11 +76,12 @@ EOC
 rc-service krb5kdc start
 rc-service krb5kadmind start
 rc-service nfs start
-kill -9 `pidof rpc.svcgssd`
+
+# shellcheck disable=SC2046
+kill -9 $(pidof rpc.svcgssd)
 rpc.gssd -vf &> /var/log/rpc-gssd.log &
 rpc.svcgssd -vf &> /var/log/gssd.log &
 
-
 cat /etc/krb5.conf
 
 while true; do