From 4a78e481cc44f88413b7e21180c2e6f9d5aed093 Mon Sep 17 00:00:00 2001
From: Baptiste Gauduchon <bgauduch@users.noreply.github.com>
Date: Sun, 26 Apr 2020 13:43:08 +0000
Subject: [PATCH] :sparkles: run server with non-root user (#28)

* :sparkles: running server using non-root user

* :wrench: add shell exec script and doc

* :pencil: small comment update in server config file

* :pencil: updated server config doc
---
 Dockerfile                 |  54 ++++++++++---------
 README.md                  |   6 +++
 cod2server/main/config.cfg |   7 +--
 doc/readme.md              | 105 +++++++++++++++++++------------------
 docker-compose.yaml        |   2 +-
 scripts/dev-exec.sh        |   5 ++
 scripts/entrypoint.sh      |   7 +--
 7 files changed, 104 insertions(+), 82 deletions(-)
 create mode 100755 scripts/dev-exec.sh

diff --git a/Dockerfile b/Dockerfile
index b7acfd2..75ddf71 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,12 +1,14 @@
+# Available build arguments and default configuration
+ARG COD2_VERSION="1_3"
+ARG LIBCOD_GIT_URL="https://github.com/voron00/libcod"
+# Choose in: [0 = mysql disables; 1 = default mysql; 2 = VoroN experimental mysql]
+ARG LIBCOD_MYSQL_TYPE=1
+
 # Throwaway build stage
 FROM debian:buster-20190708-slim AS build
-
-# Configuration
-ENV COD2_VER="1_3" \
-  LIB_NAME="libcod2" \
-  LIBCOD_GIT_URL="https://github.com/voron00/libcod" \
-  # Choose in: [0 = mysql disables; 1 = default mysql; 2 = VoroN experimental mysql]
-  LIBCOD_MYSQL_TYPE=1
+ARG COD2_VERSION
+ARG LIBCOD_GIT_URL
+ARG LIBCOD_MYSQL_TYPE
 
 # Add i386 architecture support
 RUN dpkg --add-architecture i386
@@ -24,14 +26,14 @@ RUN apt-get install -y --no-install-recommends default-libmysqlclient-dev:i386=1
 RUN apt-get install -y --no-install-recommends libsqlite3-dev:i386=3.27.2-3
 
 # Download libcod from "Voron00"
-RUN git clone ${LIBCOD_GIT_URL} ${TMPDIR}/${LIB_NAME}
+RUN git clone ${LIBCOD_GIT_URL} ${TMPDIR}/libcod2
 
 # Build libcod2
-WORKDIR ${TMPDIR}/${LIB_NAME}
-RUN yes ${LIBCOD_MYSQL_TYPE} | ./doit.sh cod2_${COD2_VER}
-RUN mv bin/libcod2_${COD2_VER}.so /lib/libcod2_${COD2_VER}.so
+WORKDIR ${TMPDIR}/libcod2
+RUN yes ${LIBCOD_MYSQL_TYPE} | ./doit.sh cod2_${COD2_VERSION}
+RUN mv bin/libcod2_${COD2_VERSION}.so /lib/libcod2_${COD2_VERSION}.so
 
-# Copy server binary and make it runable
+# Copy server binary and make it runnable
 COPY bin/cod2_lnxded_1_3_nodelay_va_loc /bin/cod2_lnxded
 RUN chmod +x /bin/cod2_lnxded
 
@@ -41,28 +43,32 @@ RUN chmod +x /entrypoint.sh
 
 # Runtime stage
 FROM alpine:3.11.6
-LABEL maintainer='bgauduch'
+ARG COD2_VERSION
+LABEL maintainer='bgauduch@github'
 
-# Copy needed libraries from build stage
-COPY --from=build /lib/i386-linux-gnu/ /lib/i386-linux-gnu/
+# Copy needed libraries and binaries from build stage
 COPY --from=build /usr/lib/i386-linux-gnu/ /usr/lib/i386-linux-gnu/
+COPY --from=build /lib/i386-linux-gnu/ /lib/i386-linux-gnu/
 COPY --from=build /lib/ld-linux.so.2 /lib/ld-linux.so.2
-COPY --from=build /lib/libcod2_1_3.so /lib/libcod2_1_3.so
-
-# Copy cod2 server binary from build stage
-COPY --from=build /bin/cod2_lnxded /server/cod2_lnxded
+COPY --from=build /lib/libcod2_${COD2_VERSION}.so /lib/libcod2_${COD2_VERSION}.so
+COPY --from=build /bin/cod2_lnxded /home/cod2/cod2_lnxded
 
 # Copy the entrypoint from build stage
 COPY --from=build /entrypoint.sh /entrypoint.sh
 
+# setup the server non-root user
+ENV SERVER_USER="cod2"
+RUN addgroup -S ${SERVER_USER} && adduser -S -D -G ${SERVER_USER} ${SERVER_USER}
+USER ${SERVER_USER}
+
 # Exposed server ports
 EXPOSE 20500/udp 20510/udp 28960/tcp 28960/udp
 
-# Set the server dir
-WORKDIR /server
-
 # Server "main" folder volume
-VOLUME [ "/server/main" ]
+VOLUME [ "/home/${SERVER_USER}/main" ]
+
+# Set the server dir
+WORKDIR /home/${SERVER_USER}
 
-# Launch server at container startup, using libcod library
+# Launch server at container startup
 ENTRYPOINT [ "/entrypoint.sh"]
diff --git a/README.md b/README.md
index e867db1..e646201 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,12 @@ You can use this script to display and follow the server logs:
 ./scripts/dev-logs.sh
 ```
 
+### Launch a shell in the container
+You can use this script to launch a shell in the running container:
+```sh
+./scripts/dev-exec.sh
+```
+
 ### Cleanup
 You can use this script to remove everything once your tests are over:
 ```sh
diff --git a/cod2server/main/config.cfg b/cod2server/main/config.cfg
index 995be6e..973e57d 100644
--- a/cod2server/main/config.cfg
+++ b/cod2server/main/config.cfg
@@ -44,7 +44,7 @@ set sv_maxrate "25000"
 // Pure on or Off: Pure is basicly an anticheat
 set sv_pure "1"
 
-// Disable console access from client
+// Disable rcon console access from client
 set sv_disableClientConsole "1"
 
 // Have the Server Show Up on GameSpy
@@ -185,7 +185,8 @@ set scr_sd_bombtimer "60"
 set scr_tdm_scorelimit "100"
 set scr_tdm_timelimit "15"
 
-// Set the Allowed Maps 
+// Set the map rotation and gametype
 set sv_maprotation "gametype tdm map mp_brecourt gametype ctf map mp_carentan gametype tdm map mp_farmhouse gametype ctf map mp_dawnville gametype tdm map mp_burgundy gametype ctf map mp_trainstation gametype tdm map mp_decoy gametype ctf map mp_toujane gametype tdm map mp_matmata gametype ctf map mp_railyard gametype tdm map mp_breakout gametype ctf map mp_leningrad gametype tdm map mp_downtown"
-// Rotate to launch the first map
+
+/ Rotate to launch the first map
 map_rotate
diff --git a/doc/readme.md b/doc/readme.md
index a7b449e..9d455dc 100644
--- a/doc/readme.md
+++ b/doc/readme.md
@@ -1,94 +1,97 @@
 # Call Of Duty 2 - server documentation
-Full credit goes to http://anarchyrules.co.uk/cod2/server%20commands.html 
+Full credit goes to http://anarchyrules.co.uk/cod2/server%20commands.html
+
+## Server config
+* `set fs_basepath`: set the game folder.
+* `set fs_homepath`: set the multiplayer log file and live config folder.
 
 ## Map Name
 All maps are available in each gamemodes:
-- DM: death match
-- TDM: team death match
-- SD: search & destroy
-- CTF: capture the flag
-- HQ: headquarter
+- `dm`: death match
+- `tdm`: team death match
+- `sd`: search & destroy
+- `ctf`: capture the flag
+- `hq`: headquarter
 
 Map name list:
-- mp_breakout
-- mp_brecourt
-- mp_burgundy
-- mp_carentan
-- mp_dawnville
-- mp_decoy
-- mp_downtown
-- mp_farmhouse
-- mp_leningrad
-- mp_matmata
-- mp_railyard
-- mp_toujane
-- mp_trainstation
+- `mp_breakout`
+- `mp_brecourt`
+- `mp_burgundy`
+- `mp_carentan`
+- `mp_dawnville`
+- `mp_decoy`
+- `mp_downtown`
+- `mp_farmhouse`
+- `mp_leningrad`
+- `mp_matmata`
+- `mp_railyard`
+- `mp_toujane`
+- `mp_trainstation`
 
 ## Console Commands
-
 Here are the available commands you can use in the server terminal.
 
-You can use commands in-game from the console: add the `/rcon` prefix and allow in-game console in server settings. Carreful not leaking your password when rcon login !
+You can use commands in-game from the console: add the `/rcon` prefix and allow in-game console in server configuration (`sv_disableClientConsole=0`).
 
 ### rcon
-* **/rcon login [rconpassword]**:
-Login to remote rcon. 
+* `/rcon login [rconpassword]`:
+Login to remote rcon. **Be carreful not leaking your password when using rcon login !**
 
 ### Common
-* **status**:
+* `status`:
 Displays info of all the players on the server.
-* **serverinfo**:
+* `serverinfo`:
 Shows the current server's settings.
-* **systeminfo**:
+* `systeminfo`:
 Shows the current system information.
-* **tell [id]**:
+* `tell [id]`:
 Sends private message to specified client id
-* **say**:
+* `say`:
 Broadcast a message to all players
-* **exec [FILENAME]**:
-Executes a Server Config File (located in your server's main directory) 
-* **writeconfig [FILENAME]**:
-Saves a Server Config File 
+* `exec [FILENAME]`:
+Executes a Server Config File (located in your server's main directory)
+* `writeconfig [FILENAME]`:
+Saves a Server Config File
 
 ### Gameplay
-* **matchtimeout**:
+* `matchtimeout`:
 Calls a match timeout (see server cvars for timeout settings)
-* **matchtimein**:
+* `matchtimein`:
 Cancels timeout
-* **setkillcam**:
+* `setkillcam`:
 Set the killcam cvar (now that it is read only during play)
-* **setfriendlyfire**:
+* `setfriendlyfire`:
 Set the friendly fire cvar (now that it is read only during play)
-* **setdrawfriend**:
+* `setdrawfriend`:
 Set the draw friend cvar (now that it is read only during play)
 
 
 ### Map commands
-* **map mapname**:
+* `map mapname`:
 Loads the map specified by mapname.
-* **map_rotate**:
+* `map_rotate`:
 Loads next map in rotation set in sv_maprotation.
-* **map_restart**:
+* `map_restart`:
 Restarts the map.
 
 ### Kick/ban Commands
-* **kick [name]**:
-Kicks a player by name from the server. (Must include Color Codes) 
-* **rcon onlykick [name]**: 
-Kicks a player by name from the server. (Does not need Color Codes) 
-* **clientkick [id]**:
+* `kick [name]`:
+Kicks a player by name from the server. (Must include Color Codes)
+* `rcon onlykick [name]`:
+Kicks a player by name from the server. (Does not need Color Codes)
+* `clientkick [id]`:
 Kicks a player by client id from the server.
-* **kick all**:
+* `kick all`:
 Kicks all players from server
-* **banUser [name]**:
+* `banUser [name]`:
 Bans a user by their ingame name. Writes their GUID to ban.txt
-* **banClient [id]**:
+* `banClient [id]`:
 Bans a user by their client number. Writes their GUID to ban.txt
-* **tempBanUser [name]**:
+* `tempBanUser [name]`:
 Kicks and temporarily bans player by name from server.
-* **tempBanClient [id]**:
+* `tempBanClient [id]`:
 Kicks and temporarily bans player by client id from server
-* **unban [name]**:
+* `unban [name]`:
 Unban every player banned with [name]. If you want to unban a single player whose name appears more than once, you should edit "ban.txt" manually.
 
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 12f9a6b..1f9bb7e 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -8,5 +8,5 @@ services:
       - "28960:28960/tcp"
       - "28960:28960/udp"
     volumes:
-      - ./cod2server/main:/server/main:ro
+      - ./cod2server/main:/home/cod2/main:ro
     restart: unless-stopped
diff --git a/scripts/dev-exec.sh b/scripts/dev-exec.sh
new file mode 100755
index 0000000..cacee0a
--- /dev/null
+++ b/scripts/dev-exec.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+set -euo pipefail
+
+# execute a shell in the server service
+docker-compose exec cod2_server sh
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
index 8be0052..d7b0ac6 100644
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@@ -1,8 +1,9 @@
 #!/bin/sh
 set -euo pipefail
 
-# launch server 
-LD_PRELOAD="/lib/libcod2_1_3.so" /server/cod2_lnxded +set fs_basepath "/server" +set fs_homepath "/home" +exec config.cfg
+# launch server using libcod library
+LD_PRELOAD='/lib/libcod2_1_3.so' ./cod2_lnxded +exec config.cfg
+# +set fs_basepath "/server" +set fs_homepath "/server/home"
 
 # tail server logs in foreground
-# tail -f -n 50 /home/main/games_mp.log
\ No newline at end of file
+# tail -f -n 50 /home/main/games_mp.log