~ temp commit, working on readme & apparmor

README.md

@@ -2,20 +2,75 @@
 GMOD TTT server image, https://hub.docker.com/r/jusito/
 
 ## TODO
-- use readme template
-- force cleanup of downloaded elements => removed workshop elements are otherwise used
+* sv_password not working
+* rcon not working
+* scrds doesn't like different internal / external ports (thats why no ports are exposed)
+* replacer config in other repo u2d?
+* health check -> details
+* volume for steam workshop
+* volume for other games
+* volume for gmod config
+* AppArmor Profile
 
-## run example
-```
-docker run -d -p 27015:27015/tcp -p 27015:27015/udp -e WORKSHOP_COLLECTION_ID=123456 -e INSTALL_CSS=true "jusito/docker-ttt" +host_workshop_collection 123456 +map ttt_rooftops_2016_v1 -maxplayers
-```
--d exit if entrypoint exits
-tcp port for rcon, if you want to use it start with -usercon +rcon_password "yourPW"
-udp port for game traffic
+## Getting Started
+1. Create public workshop collection without maps, dummy ID:=123456. Use `jusito/docker-ttt [...] +host_workshop_collection 123456`. Create a collection with maps ID:=7891011 and add/link it to 123456. If you want the clients to automatically load the collection from the workshop when connecting without subscribing, use `-e WORKSHOP_COLLECTION_ID=123456`. The users loading all non-maps at startup and the map if needed, but you don't need to point them to the collection in the workshop.
+2. Do this elements need CSS, HL2, HLDM, TF2? Use `-e INSTALL_CSS=true` or `-e INSTALL_HL2=true` aso.
+3. Which ports? 27015/udp is default for game traffic x/tcp for rcon, for 27016 you would use `-p 27016:27016/udp [...] jusito/docker-ttt [...] -port 27016`.
+4. Set environment variables like servername `-e SERVER_NAME="My Server"`, password `-e SERVER_PASSWORD="securepw"` and timezone for cron `-e TZ="Europe/Berlin"`, default short downtime at Sunday 10 o'clock.
+5. Add options for server like startmap `+map ttt_rooftops_2016_v1` and max players `-maxplayers 10`
 
-## access console
+### run example without rcon
+```
+docker run -d \
+ -e INSTALL_CSS=true \
+ -p 27015:27015/udp \
+ -e SERVER_NAME="My Server" \
+ -e SERVER_PASSWORD="securepw" \
+ -e TZ="Europe/Berlin" \
+ jusito/docker-ttt:gmod_ttt_debian \
+ -port 27015 \
+ +map ttt_rooftops_2016_v1 \
+ -maxplayers 10
+```
+
+### run example with rcon
+```
+docker run -d \
+ -e WORKSHOP_COLLECTION_ID=123456 \
+ -e INSTALL_CSS=true \
+ -p 27015:27015/udp -p 27015:27015/tcp \
+ -e SERVER_NAME="My Server" \
+ -e SERVER_PASSWORD="securepw" \
+ -e TZ="Europe/Berlin" \
+ jusito/docker-ttt:gmod_ttt_debian \
+ -port 27015 \
+ +map ttt_rooftops_2016_v1 \
+ -maxplayers 10 \
+ -usercon +rcon_password "yourPW"
+```
+
+## Tags
+* lgsm\_debian - Linux Game Server Manager in Debian
+* gmod\_debian - Garrys Mod with Debian and LGSM
+* gmod\_ttt\_debian
+
+## Environment Variables
+
+### Server Properties
+### additional config
+### Internal Used (don't change please)
+
+## GMOD Parameters
+
+## LGSM Usage
 docker exec -it CONTAINER ./home/steam/gmodserver console
 
+## File Locations
+### Volumes
+
+### Other
+
+
 ## environment variables
 If set every workshop item at the collection is added as forced, that means its automatically downloaded on connecting. Don't add collections with maps here just like weapons aso.
 WORKSHOP_COLLECTION_ID=
@@ -40,6 +95,7 @@ docker cp "your server.cfg path" CONTAINER:/home/steam/serverfiles/garrysmod/cfg
 
 
 ## Additional
-
+- Debian Buster, one dependency is missing: https://packages.debian.org/search?keywords=lib32tinfo5
+- Alpine, steamcmd doesn't like musl
 ### Debian Buster
 Currently one dependency is missing: https://packages.debian.org/search?keywords=lib32tinfo5

apparmor/JusitoGmod

@@ -0,0 +1,69 @@
+// +build linux
+
+package apparmor // import "github.com/docker/docker/profiles/apparmor"
+
+// baseTemplate defines the default apparmor profile for containers.
+const baseTemplate = `
+{{range $value := .Imports}}
+{{$value}}
+{{end}}
+
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+{{range $value := .InnerImports}}
+  {{$value}}
+{{end}}
+
+  network,
+  capability,
+  file,
+  umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+  signal (receive) peer={{.DaemonProfile}},
+{{/* Allow container processes to send signals amongst themselves. */}}
+  signal (send,receive) peer={{.Name}},
+{{end}}
+
+  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+  # deny write to files not in /proc/<number>/** or /proc/sys/**
+  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
+  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
+  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+  
+  deny /bin/*/** w,
+  deny /boot/*/** w,
+  deny /dev/*/** w,
+  deny /etc/*/** w,
+  deny /home/* w,
+  deny /lib/*/** w,
+  deny /lib64/*/** w,
+  deny /media/*/** w,
+  deny /mnt/*/** w,
+  deny /opt/*/** w,
+  deny /proc/*/** w,
+  deny /root/*/** w,
+  deny /run/*/** w,
+  deny /sbin/*/** w,
+  deny /srv/*/** w,
+  deny /sys/*/** w,
+  deny /tmp/*/** w,
+  deny /usr/*/** w,
+  deny /var/*/** w,
+
+{{if ge .Version 208095}}
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read,tracedby,readby) peer={{.Name}},
+{{end}}
+}

apparmor/generateAppArmorProfile.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ "${DEBUGGING}" = "true" ]; then
+	set -o xtrace
+fi
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+wget -qO "apparmor.profile" 'https://raw.githubusercontent.com/moby/moby/master/profiles/apparmor/template.go'
+