From bda3d2dcf8a97549c33143bae21c95e5d386c9e5 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Wed, 7 May 2025 19:49:45 +0200 Subject: [PATCH 1/4] update readme to reflect non-root options --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 85a3666..5a2fb06 100755 --- a/README.md +++ b/README.md @@ -65,6 +65,28 @@ $ docker run -d \ If the exposed ports are modified (in the case of multiple containers/servers on the same host) the `arkmanager` config will need to be modified to reflect the change as well. This is required so that `arkmanager` can properly check the server status and so that the ARK server itself can properly publish its IP address and query port to steam. + +#### Running without sudo capability or root + +Its perfectly possible to run the container without sudo or root user. +However, this means a lot of automated permission fixes and checks will be skipped as well. + +For this to be handled correctly: +- Use UID/GID 1001 +- Ensure all required folders are mounted and have their permissions *manually* set to 1001/1001 before using the container +- No Linux capabilities are needed +- privileged mode is not needed +- The container will not prevent any Privilege Escalation + +#### Running with a hardened filesystem + +Some container platforms, primarily on kubernetes, offer the option to disable writability to the container root filesystem `readOnlyRootFilesystem`. +The container is perfectly capable of being ran with this setting enabled, with the following caveats: + +- All folders containing any data being writhen, temporary or otherwise, explicitly need a writable folder attached +- if `/var/spool/cron/crontabs/` is not mounted to a writable folder, crontab will *not* be setup + + ## Environment Variables A set of required environment variables have default values provided as part of the image: From df7430b0a3ed84e0d3ff648bf5bf6d9de31aea70 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Wed, 7 May 2025 19:52:18 +0200 Subject: [PATCH 2/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a2fb06..226ce88 100755 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ For this to be handled correctly: - Ensure all required folders are mounted and have their permissions *manually* set to 1001/1001 before using the container - No Linux capabilities are needed - privileged mode is not needed -- The container will not prevent any Privilege Escalation +- The container will not attempt any Privilege Escalation #### Running with a hardened filesystem From 37ad2741b65ea0868eacdccf28dd29c8e110a8a8 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Wed, 7 May 2025 19:53:30 +0200 Subject: [PATCH 3/4] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 226ce88..e537cd4 100755 --- a/README.md +++ b/README.md @@ -137,6 +137,8 @@ The optional volumes can be used to share the server binary files or `clusters` | /arkserver | (optional, $ARKSERVER_SHARED) Directory that contains the server binary files from steam, shared for multiple instances | | /arkserver/ShooterGame/Saved | (depends) Directory that contains the game save files - must be mounted if using shared server files | | /arkserver/ShooterGame/Saved/clusters | (depends) Directory that contains the shared cluster files required to jump from one ARK server to another - must be mounted if using shared server files | +| /var/spool/cron/crontabs/ | crontab storage | + ### Subdirectories of /ark From f489d32a930be0e37ae2156f805cb7bdede1f2bf Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Wed, 7 May 2025 21:34:31 +0200 Subject: [PATCH 4/4] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index e537cd4..cf919c5 100755 --- a/README.md +++ b/README.md @@ -74,10 +74,12 @@ However, this means a lot of automated permission fixes and checks will be skipp For this to be handled correctly: - Use UID/GID 1001 - Ensure all required folders are mounted and have their permissions *manually* set to 1001/1001 before using the container +- `/arkserver/ShooterGame` has to be added as its own seperate mountpoint or folder with correct permissions, before the container is ran. - No Linux capabilities are needed - privileged mode is not needed - The container will not attempt any Privilege Escalation + #### Running with a hardened filesystem Some container platforms, primarily on kubernetes, offer the option to disable writability to the container root filesystem `readOnlyRootFilesystem`.