From 57db3889325ef95896d2677306e7d20d4d3360c8 Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Mon, 22 Dec 2025 20:25:28 -0500 Subject: [PATCH 1/3] Docker with non-root using supercronic Replaces cronie with supercronic to allow non-root users to have cronjobs. Creates user/group acme:acme UID:1000/GID:1000 with home directory pointing to LE_CONFIG_HOME (default: /acme.sh) 'crontab' is generated in LE_CONFIG_HOME which is used by supercronic. Note that `acme.sh --installcronjob` and `--uninstallcronjob` when run as a non-root user will fail but neither of should be used in `daemon` mode anyway. Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 36b2adac..64d14909 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN apk --no-cache add -f \ libidn \ jq \ yq-go \ - cronie + supercronic ENV LE_WORKING_DIR=/acmebin @@ -30,10 +30,12 @@ COPY ./deploy /install_acme.sh/deploy COPY ./dnsapi /install_acme.sh/dnsapi COPY ./notify /install_acme.sh/notify -RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ +RUN addgroup -g 1000 acme && adduser -h $LE_CONFIG_HOME -s /bin/sh -G acme -D -H -u 1000 acme +RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab - +RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh \ + && crontab -l | grep acme.sh | sed 's#> /dev/null##' > $LE_CONFIG_HOME/crontab RUN for verb in help \ version \ @@ -72,12 +74,15 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - exec crond -n -s -m off \n \ + echo \"Running Supercronic using crontab at \$LE_CONFIG_HOME/crontab\" \n \ + exec -- /usr/bin/supercronic \"\$LE_CONFIG_HOME/crontab\" \n \ else \n \ exec -- \"\$@\"\n \ fi\n" >/entry.sh && chmod +x /entry.sh && chmod -R o+rwx $LE_WORKING_DIR && chmod -R o+rwx $LE_CONFIG_HOME VOLUME /acme.sh +USER 1000:1000 + ENTRYPOINT ["/entry.sh"] CMD ["--help"] From 6f5a0c5d5e961a7886cd3fae6ac72daab94787b1 Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Tue, 23 Dec 2025 21:45:41 -0500 Subject: [PATCH 2/3] have entry.sh (instead of dockerfile) generate crontab file Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- Dockerfile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 64d14909..626f835d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,8 +34,7 @@ RUN addgroup -g 1000 acme && adduser -h $LE_CONFIG_HOME -s /bin/sh -G acme -D -H RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ -RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh \ - && crontab -l | grep acme.sh | sed 's#> /dev/null##' > $LE_CONFIG_HOME/crontab +RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh RUN for verb in help \ version \ @@ -74,6 +73,13 @@ RUN for verb in help \ RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ + if [ ! -f \"\$LE_CONFIG_HOME/crontab\" ]; then \n \ + echo \"\$LE_CONFIG_HOME/crontab not found, generating one\" \n \ + time=\$(date -u \"+%s\") \n \ + random_minute=\$((\$time % 60)) \n \ + random_hour=\$((\$time / 60 % 24)) \n \ + echo \"\$random_minute \$random_hour * * * \\\"\$LE_WORKING_DIR\\\"/acme.sh --cron --home \\\"\$LE_WORKING_DIR\\\" --config-home \\\"\$LE_CONFIG_HOME\\\"\" > \"\$LE_CONFIG_HOME\"/crontab \n \ + fi \n \ echo \"Running Supercronic using crontab at \$LE_CONFIG_HOME/crontab\" \n \ exec -- /usr/bin/supercronic \"\$LE_CONFIG_HOME/crontab\" \n \ else \n \ @@ -82,7 +88,5 @@ fi\n" >/entry.sh && chmod +x /entry.sh && chmod -R o+rwx $LE_WORKING_DIR && chmo VOLUME /acme.sh -USER 1000:1000 - ENTRYPOINT ["/entry.sh"] CMD ["--help"] From 6a98b9f81e9057cd0eda1427a446da20cc305d1d Mon Sep 17 00:00:00 2001 From: invario <67800603+invario@users.noreply.github.com> Date: Tue, 30 Dec 2025 12:44:46 -0500 Subject: [PATCH 3/3] chown /acme.sh to non-root user and set HOME to /acme.sh Signed-off-by: invario <67800603+invario@users.noreply.github.com> --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 626f835d..15439e5a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,8 @@ ENV LE_WORKING_DIR=/acmebin ENV LE_CONFIG_HOME=/acme.sh +ENV HOME=/acme.sh + ARG AUTO_UPGRADE=1 ENV AUTO_UPGRADE=$AUTO_UPGRADE @@ -36,6 +38,8 @@ RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/ RUN ln -s $LE_WORKING_DIR/acme.sh /usr/local/bin/acme.sh +RUN chown -R acme:acme $LE_CONFIG_HOME + RUN for verb in help \ version \ install \