Merge pull request #2637 from nextcloud/enh/1581/add-example-containers

.github/workflows/community-containers.yml

@@ -0,0 +1,37 @@
+name: Validate community containers
+
+on:
+  pull_request:
+    paths:
+      - 'community-containers/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'community-containers/**'
+
+jobs:
+  validator-community-containers:
+    name: Validate community containers
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Validate structure
+        run: |
+          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
+          mapfile -t CONTAINERS <<< "$CONTAINERS"
+          for container in "${CONTAINERS[@]}"; do
+            container="$(echo "$container" | sed 's|./community-containers/||')"
+            if ! [ -f ./community-containers/"$container"/"$container.json" ]; then
+                echo ".json file must be named like its parent folder $container"
+                FAIL=1
+            fi
+            if ! [ -f ./community-containers/"$container"/readme.md ]; then
+                echo "There must be a readme.md file in the folder!"
+                FAIL=1
+            fi
+            if [ -n "$FAIL" ]; then
+                exit 1
+            fi
+          done

.github/workflows/json-validator.yml

@@ -23,3 +23,11 @@ jobs:
           sudo apt-get install python3-pip -y --no-install-recommends
           sudo pip3 install json-spec
           json validate --schema-file=php/containers-schema.json --document-file=php/containers.json
+          JSON_FILES="$(find ./community-containers -name '*.json')"
+          mapfile -t JSON_FILES <<< "$JSON_FILES"
+          for file in "${JSON_FILES[@]}"; do
+            json validate --schema-file=php/containers-schema.json --document-file="$file" | tee -a ./json-validator.log
+          done
+          if grep "Exception: document does not validate with schema." ./json-validator.log; then
+            exit 1
+          fi

community-containers/fail2ban/fail2ban.json

@@ -0,0 +1,26 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-fail2ban",
+            "display_name": "Fail2ban",
+            "image": "szaimen/aio-fail2ban",
+            "image_tag": "%AIO_CHANNEL%",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "cap_add": [
+                "NET_ADMIN",
+                "NET_RAW"
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_nextcloud",
+                    "destination": "/nextcloud",
+                    "writeable": false
+                }
+            ]
+        }
+    ]
+}

community-containers/fail2ban/readme.md

@@ -0,0 +1 @@
+This is not working on Docker Desktop since it needs network_mode: host in order to work correctly.

community-containers/readme.md

@@ -0,0 +1 @@
+## This is a WIP and not working yet!

php/containers-schema.json

@@ -39,7 +39,7 @@
 					},
 					"display_name": {
 						"type": "string",
-						"pattern": "^[A-Za-z ]+$"
+						"pattern": "^[A-Za-z 0-9]+$"
 					},
 					"environment": {
 						"type": "array",
@@ -51,7 +51,7 @@
 					},
 					"container_name": {
 						"type": "string",
-						"pattern": "^nextcloud-aio-[a-z-]+$"
+						"pattern": "^nextcloud-aio-[a-z0-9-]+$"
 					},
 					"internal_port": {
 						"type": "string",

php/src/Docker/DockerActionManager.php

@@ -477,7 +477,9 @@ class DockerActionManager
         }
 
         // Disable arp spoofing
-        $requestBody['HostConfig']['CapDrop'] = ['NET_RAW'];
+        if (!in_array('NET_RAW', $capAdds, true)) {
+            $requestBody['HostConfig']['CapDrop'] = ['NET_RAW'];
+        }
 
         if ($container->isApparmorUnconfined()) {
             $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];