Fix container privileges and Arcane deployment

Jonatan Castro · Jonatan Castro · commit 8b26bc7dafac · 2026-04-15T23:52:35.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG PYTHON_BASE=python:3.12-slim@sha256:804ddf3251a60bbf9c92e73b7566c40428d54d0e79d3428194edf40da6521286
-ARG VERSION=0.1.1
+ARG VERSION=0.1.2
 ARG BUILD_DATE=unknown
 ARG VCS_REF=unknown
 ARG SOURCE_URL=https://github.com/jonatan/stopliga
@@ -25,7 +25,7 @@ RUN pip install --upgrade pip==26.0.1 setuptools==82.0.1 wheel==0.46.3 \
 
 FROM ${PYTHON_BASE} AS runtime
 
-ARG VERSION=0.1.1
+ARG VERSION=0.1.2
 ARG BUILD_DATE=unknown
 ARG VCS_REF=unknown
 ARG SOURCE_URL=https://github.com/jonatan/stopliga
diff --git a/README.md b/README.md
@@ -211,9 +211,10 @@ UNIFI_API_KEY_FILE=/run/secrets/unifi_api_key
 El `docker-compose.yml` del repo está simplificado para producción normal:
 
 - imagen `bluepr0/stopliga:latest`
-- `uid/gid 1000`
+- arranca como root solo para preparar `/data` y baja a `uid/gid 1000`
 - volumen `./data:/data`
 - secretos en `./secrets:/run/secrets:ro`
+- healthcheck desactivado en compose para evitar bloqueos del gestor de despliegue
 
 Prueba puntual:
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -16,6 +16,8 @@ services:
     read_only: true
     tmpfs:
       - /tmp
+    healthcheck:
+      disable: true
     cap_drop:
       - ALL
     security_opt:
diff --git a/docker/entrypoint.py b/docker/entrypoint.py
@@ -49,9 +49,26 @@ def _ensure_writable_paths(uid: int, gid: int) -> None:
 
 
 def _drop_privileges(uid: int, gid: int) -> None:
-    os.setgroups([])
-    os.setgid(gid)
-    os.setuid(uid)
+    try:
+        os.setgroups([])
+    except PermissionError:
+        pass
+
+    if os.getegid() != gid:
+        try:
+            os.setgid(gid)
+        except PermissionError as exc:
+            raise PermissionError(
+                f"Unable to switch group to {gid}; run the container as that user/group or allow SETGID"
+            ) from exc
+
+    if os.geteuid() != uid:
+        try:
+            os.setuid(uid)
+        except PermissionError as exc:
+            raise PermissionError(
+                f"Unable to switch user to {uid}; run the container as that user/group or allow SETUID"
+            ) from exc
 
 
 def main() -> int:
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "stopliga"
-version = "0.1.1"
+version = "0.1.2"
 description = "Synchronize a UniFi policy-based route with a public GitHub IP feed."
 readme = "README.md"
 requires-python = ">=3.11"
