anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix/merge-testing-to-main #4

Merged
anti merged 138 commits from fix/merge-testing-to-main into main 2026-04-12 10:10:19 +02:00
Conversation 0 Commits 138 Files Changed 270 +14 -16
3 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit fe46b8fc0b - Show all commits

5
decnet/composer.py
View File

@@ -69,8 +69,11 @@ def generate_compose(config: DecnetConfig) -> dict:
# Inject the per-decky base image into build services so containers
# vary by distro and don't all fingerprint as debian:bookworm-slim.
# Services that need a fixed upstream image (e.g. conpot) can pre-set
# build.args.BASE_IMAGE in their compose_fragment() to opt out.
if "build" in fragment:
fragment["build"].setdefault("args", {})["BASE_IMAGE"] = decky.build_base
args = fragment["build"].setdefault("args", {})
args.setdefault("BASE_IMAGE", decky.build_base)
fragment.setdefault("environment", {})
fragment["environment"]["HOSTNAME"] = decky.hostname

4
decnet/services/conpot.py
View File

@@ -1,4 +1,3 @@
import os
from pathlib import Path
from decnet.services.base import BaseService
@@ -24,7 +23,8 @@ class ConpotService(BaseService):
return {
"build": {
"context": str(self.dockerfile_context())
"context": str(self.dockerfile_context()),
"args": {"BASE_IMAGE": "honeynet/conpot:latest"},
},
"container_name": f"{decky_name}-conpot",
"restart": "unless-stopped",

21
templates/conpot/Dockerfile
View File

@@ -3,21 +3,16 @@ FROM ${BASE_IMAGE}
USER root
# Replace 5020 with 502 in all templates
# Replace 5020 with 502 in all templates so Modbus binds on the standard port
RUN find /opt /usr /etc /home -name "*.xml" -exec sed -i 's/<port>5020<\/port>/<port>502<\/port>/g' {} + 2>/dev/null || true
RUN find /opt /usr /etc /home -name "*.xml" -exec sed -i 's/port="5020"/port="502"/g' {} + 2>/dev/null || true
# Install libcap to allow binding to 502
# Install libcap and give the Python interpreter permission to bind ports < 1024
RUN (apt-get update && apt-get install -y --no-install-recommends libcap2-bin 2>/dev/null) || (apk add --no-cache libcap 2>/dev/null) || true
RUN find /home/conpot/.local/bin /usr /opt -type f -name 'python*' -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true
# Apply setcap to python binaries
RUN find /usr /opt -type f -name 'python*' -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true
# Create the decnet user following repository conventions
RUN (addgroup -S decnet && adduser -S decnet -G decnet 2>/dev/null) || useradd -r -s /bin/false decnet 2>/dev/null || true
# Make sure all conpot-related directories are owned by decnet so it can run it
RUN chown -R decnet:decnet /var/log/conpot /opt/conpot /home/conpot /usr/local/lib/python*/site-packages/conpot/tests/data /tmp 2>/dev/null || true
# Run as decnet user, avoiding the root-check failure and 777 hacks
USER decnet
# The upstream image already runs as the non-root 'conpot' user.
# We do NOT switch to a 'decnet' user here — doing so breaks pkg_resources
# because conpot's eggs live under /home/conpot/.local and are only on the
# Python path when the interpreter runs as 'conpot'.
USER conpot