From 3998139db10a8b126f5abfee66f4c60e8b4e913e Mon Sep 17 00:00:00 2001
From: thespad <spad@linuxserver.io>
Date: Thu, 12 Dec 2024 19:03:31 +0000
Subject: [PATCH] Rebase to 3.21, support non-root operation

---
 .github/workflows/external_trigger.yml        | 22 ++++++++++---------
 Dockerfile                                    |  2 +-
 Dockerfile.aarch64                            |  2 +-
 README.md                                     |  6 +++++
 readme-vars.yml                               |  2 ++
 .../s6-rc.d/init-readarr-config/run           |  9 ++++----
 root/etc/s6-overlay/s6-rc.d/svc-readarr/run   | 15 +++++++++----
 7 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
index d8518d0..942b487 100644
--- a/.github/workflows/external_trigger.yml
+++ b/.github/workflows/external_trigger.yml
@@ -43,16 +43,18 @@ jobs:
           token=$(curl -sX GET \
             "https://ghcr.io/token?scope=repository%3Alinuxserver%2Freadarr%3Apull" \
             | jq -r '.token')
-            multidigest=$(curl -s \
-              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-              --header "Authorization: Bearer ${token}" \
-              "https://ghcr.io/v2/${image}/manifests/${tag}" \
-              | jq -r 'first(.manifests[].digest)')
-            digest=$(curl -s \
-              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-              --header "Authorization: Bearer ${token}" \
-              "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
-              | jq -r '.config.digest')
+          multidigest=$(curl -s \
+            --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+            --header "Accept: application/vnd.oci.image.index.v1+json" \
+            --header "Authorization: Bearer ${token}" \
+            "https://ghcr.io/v2/${image}/manifests/${tag}")
+          multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}")
+          digest=$(curl -s \
+            --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+            --header "Accept: application/vnd.oci.image.manifest.v1+json" \
+            --header "Authorization: Bearer ${token}" \
+            "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
+            | jq -r '.config.digest')
           image_info=$(curl -sL \
             --header "Authorization: Bearer ${token}" \
             "https://ghcr.io/v2/${image}/blobs/${digest}")
diff --git a/Dockerfile b/Dockerfile
index 5680144..a624a19 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index b71bd8c..7d4826e 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/README.md b/README.md
index cccd0a9..50c2afd 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,10 @@ The folks over at servarr.com wrote a good [write-up](https://wiki.servarr.com/d
 
 This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
 
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -141,6 +145,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-v /books` | Location of Book library on disk (See note in Application setup) |
 | `-v /downloads` | Location of download managers output directory (See note in Application setup) |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -304,6 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **12.12.24:** - Rebase to Alpine 3.21.
 * **25.05.24:** - Rebase to Alpine 3.20.
 * **20.03.24:** - Rebase to Alpine 3.19.
 * **06.06.23:** - Rebase nightly to Alpine 3.18.
diff --git a/readme-vars.yml b/readme-vars.yml
index d750f05..a6184ea 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -28,6 +28,7 @@ param_usage_include_ports: true
 param_ports:
   - {external_port: "8787", internal_port: "8787", port_desc: "The port for the Readarr web UI"}
 readonly_supported: true
+nonroot_supported: true
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -85,6 +86,7 @@ init_diagram: |
   "readarr:nightly" <- Base Images
 # changelog
 changelogs:
+  - {date: "12.12.24:", desc: "Rebase to Alpine 3.21."}
   - {date: "25.05.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "20.03.24:", desc: "Rebase to Alpine 3.19."}
   - {date: "06.06.23:", desc: "Rebase nightly to Alpine 3.18."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run b/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run
index 12adc03..bc8cb5d 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run
@@ -3,7 +3,8 @@
 
 mkdir -p /run/readarr-temp
 
-# permissions
-lsiown -R abc:abc \
-    /config \
-    /run/readarr-temp
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    lsiown -R abc:abc \
+        /config \
+        /run/readarr-temp
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-readarr/run b/root/etc/s6-overlay/s6-rc.d/svc-readarr/run
index 44006a5..44f4a51 100755
--- a/root/etc/s6-overlay/s6-rc.d/svc-readarr/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-readarr/run
@@ -1,7 +1,14 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 \
-        cd /app/readarr/bin s6-setuidgid abc /app/readarr/bin/Readarr \
-        -nobrowser -data=/config
+if [[ -n ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 \
+            cd /app/readarr/bin /app/readarr/bin/Readarr \
+            -nobrowser -data=/config
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 \
+            cd /app/readarr/bin s6-setuidgid abc /app/readarr/bin/Readarr \
+            -nobrowser -data=/config
+fi