feat: Improve support for unprivileged hosts (including LXC) (#479)

* * Add fakeroot to extract the dsm system without elevated permissions
* Remove obsolete docker variable "DEV" used to exclude extraction of device nodes

* feat: Detect unprivileged container

* fix: Use fakeroot for mke2fs

---------

Co-authored-by: Kroese <[email protected]>

Dockerfile

@@ -29,6 +29,7 @@ RUN apt-get update && apt-get -y upgrade \
         iptables \
         iproute2 \
         dnsmasq \
+        fakeroot \        
         net-tools \
         qemu-utils \
         ca-certificates \

src/install.sh

@@ -2,7 +2,6 @@
 set -Eeuo pipefail
 
 : ${URL:=''}    # URL of the PAT file to be downloaded.
-: ${DEV:='Y'}   # Controls whether device nodes are created.
 
 if [ -f "$STORAGE"/dsm.ver ]; then
   BASE=$(cat "$STORAGE/dsm.ver")
@@ -70,7 +69,6 @@ else
   TMP="/tmp/dsm"
   SPACE=$(df --output=avail -B 1 /tmp | tail -n 1)
   if (( MIN_SPACE > SPACE )); then
-    DEV="N"
     TMP="$STORAGE/tmp"
     info "Warning: the $FS filesystem of $STORAGE does not support UNIX permissions.."
   fi
@@ -101,6 +99,7 @@ fi
 
 # Download the required files from the Synology website
 
+ROOT="Y"
 RDC="$STORAGE/dsm.rd"
 
 if [ ! -f "$RDC" ]; then
@@ -140,14 +139,12 @@ if [ -f "$RDC" ]; then
   { xz -dc <"$RDC" >"$TMP/rd" 2>/dev/null; rc=$?; } || :
   (( rc != 1 )) && error "Failed to unxz $RDC, reason $rc" && exit 91
 
-  if [[ "$DEV" == [Nn]* ]]; then
-    # Exclude dev/ from cpio extract
-    { (cd "$TMP" && cpio -it < "$TMP/rd" | grep -Ev 'dev/' | while read -r entry; do cpio -idm "$entry" < "$TMP/rd" 2>/dev/null; done); rc=$?; } || :
+  { (cd "$TMP" && cpio -idm <"$TMP/rd" 2>/dev/null); rc=$?; } || :
+
+  if (( rc != 0 )); then
+    ROOT="N"
+    { (cd "$TMP" && fakeroot cpio -idmu <"$TMP/rd" 2>/dev/null); rc=$?; } || :
     (( rc != 0 )) && error "Failed to extract $RDC, reason $rc" && exit 92
-  else
-    { (cd "$TMP" && cpio -idm <"$TMP/rd" 2>/dev/null); rc=$?; } || :
-    (( rc != 0 )) && error "Failed to extract $RDC, reason $rc"
-    (( rc != 0 )) && error "If the container runs unprivileged, please set DEV=N to exclude device nodes." && exit 92
   fi
 
   mkdir -p /run/extract
@@ -272,31 +269,46 @@ sfdisk -q "$SYSTEM" < "$PART"
 
 info "Install: Extracting system partition..."
 
+LABEL="1.44.1-42218"
+OFFSET="1048576" # 2048 * 512
+NUMBLOCKS="622560" # (4980480 * 512) / 4096
+
 MOUNT="$TMP/system"
 rm -rf "$MOUNT" && mkdir -p "$MOUNT"
 
 mv "$HDA.tgz" "$HDA.txz"
 
-if [[ "$DEV" == [Nn]* ]]; then
-  # Exclude dev/ from tar extract
-  tar xpfJ "$HDA.txz" --absolute-names --exclude="dev" -C "$MOUNT/"
-else
+if [[ "$ROOT" != [Nn]* ]]; then
+
   tar xpfJ "$HDA.txz" --absolute-names -C "$MOUNT/"
+
 fi
 
 [ -d "$PKG" ] && mv "$PKG/" "$MOUNT/.SynoUpgradePackages/"
 rm -f "$MOUNT/.SynoUpgradePackages/ActiveInsight-"*
 
 [ -f "$HDP.txz" ] && tar xpfJ "$HDP.txz" --absolute-names -C "$MOUNT/"
-[ -f "$IDB.txz" ] && tar xpfJ "$IDB.txz" --absolute-names -C "$MOUNT/usr/syno/synoman/indexdb/"
 
-info "Install: Installing system partition..."
+if [ -f "$IDB.txz" ]; then
+  INDEX_DB="$MOUNT/usr/syno/synoman/indexdb/"
+  mkdir -p "$INDEX_DB"
+  tar xpfJ "$IDB.txz" --absolute-names -C "$INDEX_DB"
+fi
 
-LABEL="1.44.1-42218"
-OFFSET="1048576" # 2048 * 512
-NUMBLOCKS="622560" # (4980480 * 512) / 4096
+if [[ "$ROOT" != [Nn]* ]]; then
+
+  info "Install: Installing system partition..."
+
+  mke2fs -q -t ext4 -b 4096 -d "$MOUNT/" -L "$LABEL" -F -E "offset=$OFFSET" "$SYSTEM" "$NUMBLOCKS"
 
-mke2fs -q -t ext4 -b 4096 -d "$MOUNT/" -L "$LABEL" -F -E "offset=$OFFSET" "$SYSTEM" "$NUMBLOCKS"
+else
+
+  fakeroot -- bash -c "set -Eeu;\
+        tar xpfJ $HDA.txz --absolute-names --skip-old-files -C $MOUNT/;\
+        printf '%b%s%b' '\E[1;34m❯ \E[1;36m' 'Install: Installing system partition...' '\E[0m\n';\
+        mke2fs -q -t ext4 -b 4096 -d $MOUNT/ -L $LABEL -F -E offset=$OFFSET $SYSTEM $NUMBLOCKS"
+
+fi
 
 rm -rf "$MOUNT"