diff --git a/apps/prismlauncher/Containerfile b/apps/prismlauncher/Containerfile index 08c86e9..63855cc 100644 --- a/apps/prismlauncher/Containerfile +++ b/apps/prismlauncher/Containerfile @@ -12,7 +12,5 @@ RUN apt-get -y update && apt-get -y install prismlauncher qtwayland5 openjdk-17- USER user -LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/org.prismlauncher.PrismLauncher.desktop" - ENTRYPOINT [ "/usr/bin/prismlauncher" ] diff --git a/apps/shattered-pixel-dungeon/Containerfile b/apps/shattered-pixel-dungeon/Containerfile index 16d6b5f..033e2bb 100644 --- a/apps/shattered-pixel-dungeon/Containerfile +++ b/apps/shattered-pixel-dungeon/Containerfile @@ -9,6 +9,4 @@ RUN pacman -Syu --noconfirm \ USER user -LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/shattered-pixel-dungeon.desktop" - ENTRYPOINT [ "/usr/bin/shattered-pixel-dungeon" ] diff --git a/apps/shattered-pixel-dungeon/control b/apps/shattered-pixel-dungeon/control index 65705b4..690aa9b 100644 --- a/apps/shattered-pixel-dungeon/control +++ b/apps/shattered-pixel-dungeon/control @@ -1,2 +1,3 @@ #!/usr/bin/env bash INVALIDATE_CACHE_UPSTREAM_ARCHLINUX="extra/any/shattered-pixel-dungeon" +DESKTOP_FILE_PATH="/usr/share/applications/shattered-pixel-dungeon.desktop" diff --git a/apps/steam/Containerfile b/apps/steam/Containerfile index 1763985..814a29c 100644 --- a/apps/steam/Containerfile +++ b/apps/steam/Containerfile @@ -8,11 +8,4 @@ USER user ENV PROTON_NO_FSYNC=1 -LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop" - -# Steam Runtime requires its own namespaces -# so we have to allow them in our seccomp filter. -# Don't use it if you don't trust their sandboxing (pressure-vessel). -LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces="true" - ENTRYPOINT [ "/usr/games/steam" ] diff --git a/apps/steam/control b/apps/steam/control index 1d0c74c..eedff9f 100644 --- a/apps/steam/control +++ b/apps/steam/control @@ -1,5 +1,6 @@ #!/usr/bin/env bash INVALIDATE_CACHE_UPSTREAM_UBUNTU="steam" +DESKTOP_FILE_PATH="/usr/share/applications/steam.desktop" # Steam Runtime requires its own namespaces # so we have to allow them in our seccomp filter. # Don't use it if you don't trust their sandboxing (pressure-vessel). diff --git a/create-shortcut.sh b/create-shortcut.sh index 5ef25ab..df2a8e9 100755 --- a/create-shortcut.sh +++ b/create-shortcut.sh @@ -12,9 +12,9 @@ assert_image_exists "$image_name" [ -f "$script_path/apps/$1/control" ] || \ die "App $1 does not have a control file that defines how to generate a shortcut" -desktop_file_path="$(get_image_label "$image_name" "net.typeblog.dobu.desktop_file_path")" +. "$script_path/apps/$1/control" -[ -z "$desktop_file_path" ] && die "App $1 did not specify desktop_file_path in its labels" +[ -z "${DESKTOP_FILE_PATH+x}" ] && die "App $1 did not specify DESKTOP_FILE_PATH in its control file" # Create a temporary working directory # Because we will have to extract files from the container image @@ -36,8 +36,8 @@ log "Creating temporary container $tmp_container_name from $image_name" podman create --name "$tmp_container_name" "$image_name" -log "Extracting $desktop_file_path from $tmp_container_name" -podman cp "$tmp_container_name:$desktop_file_path" ./$1.desktop +log "Extracting $DESKTOP_FILE_PATH from $tmp_container_name" +podman cp "$tmp_container_name:$DESKTOP_FILE_PATH" ./$1.desktop log "Extracting /usr/share/icons from $tmp_container_name" podman cp "$tmp_container_name:/usr/share/icons" ./icons diff --git a/dobu-run.sh b/dobu-run.sh index 09745a9..5e79c49 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -26,7 +26,11 @@ if container_exists "$container_name"; then exit 0 fi -if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces)" == "true" ]; then +# Load app control file because some apps require run-time customization +# TODO: Maybe these things should really be container labels? +[ -f "$script_path/apps/$1/control" ] && . "$script_path/apps/$1/control" + +if [ "$UNSAFE_I_KNOW_WHAT_I_AM_DOING_ALLOW_NAMESPACES" == "true" ]; then log "Enabling sub-namespaces support inside this container" log "This is considered UNSAFE; DO NOT USE if the app inside container does not do its own sandboxing" log "DO NOT USE if you don't trust sandboxing done by the app inside" diff --git a/functions.sh b/functions.sh index da697d3..b79c105 100644 --- a/functions.sh +++ b/functions.sh @@ -72,11 +72,6 @@ container_exists() { podman container exists $1 > /dev/null 2>&1 } -get_image_label() { - assert_image_exists "$1" - podman inspect "$1" | jq -r ".[0].Labels.\"$2\"" -} - remove_stale_container() { container_exists "$1" || return 0 local is_running="$(podman inspect "$1" | jq -r '.[0].State.Running')"