From b3c019262172d49eda60cef154524b1d6064773f Mon Sep 17 00:00:00 2001
From: yusing <yusing@6uo.me>
Date: Mon, 28 Apr 2025 01:35:09 +0800
Subject: [PATCH] fix: docker compose and bind permission

---
 .env.example        | 1 +
 Dockerfile          | 2 +-
 Makefile            | 8 ++++----
 compose.example.yml | 7 +++----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.env.example b/.env.example
index 5ecca18..cb1b437 100644
--- a/.env.example
+++ b/.env.example
@@ -60,6 +60,7 @@ GODOXY_FRONTEND_ALIASES=godoxy
 # Docker socket
 # /var/run/podman/podman.sock for podman
 DOCKER_SOCKET=/var/run/docker.sock
+SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375
 
 # Debug mode
 GODOXY_DEBUG=false
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 0213437..12be8e7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ HEALTHCHECK NONE
 
 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
-RUN apk add --no-cache tzdata make
+RUN apk add --no-cache tzdata make libcap-setcap
 
 ENV GOPATH=/root/go
 
diff --git a/Makefile b/Makefile
index 47d0d1f..52304fb 100755
--- a/Makefile
+++ b/Makefile
@@ -60,11 +60,11 @@ else
 	SETCAP_CMD = sudo setcap
 endif
 
+
+# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
 ifeq ($(docker), 1)
-	POST_BUILD = mkdir -p /app && mv ${BIN_PATH} /app/run
-else
-	# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
-	POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH}
+	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
 endif
 
 .PHONY: debug
diff --git a/compose.example.yml b/compose.example.yml
index 09ec757..c96753d 100755
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -18,7 +18,7 @@ services:
     tmpfs:
       - /run
     ports:
-      - 127.0.0.1:2375:2375
+      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:2375"]
       interval: 1m30s
@@ -32,6 +32,7 @@ services:
     network_mode: host # do not change this
     env_file: .env
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
@@ -63,10 +64,8 @@ services:
       - no-new-privileges:true
     cap_drop:
       - all
-    cap_add:
-      - NET_BIND_SERVICE
     environment:
-      - DOCKER_HOST=127.0.0.1:2375
+      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1}:2375
     volumes:
       - ./config:/app/config
       - ./logs:/app/logs