Deutsch | English | Español | français | 日本語 | 한국어 | Português | Русский | 中文
Smartentry is a generic, batteries-included Docker entrypoint implemented as a single shell script: smartentry.sh. It assembles your container at runtime from an "assets" directory, with templating, patching, volume initialization, and permission reconciliation.
- License: MIT (see
LICENSE) - Main program:
smartentry.sh - Optional CI helper for maintainers:
smartentry-build(used in.github/workflows/build.yml)
At container start, Smartentry can:
- Load environment variables from an
envfile (with optional overrides) and verify required ones. - Materialize a
rootfs/template into/, with variable substitution of{{VARNAME}}from the environment. - Apply
patch/diff files frompatch/either at build-time or runtime. - Initialize persistent volumes from an archive on first run and optionally fix ownership.
- Reconcile file modes and ownership based on a captured
chmod.list. - Run optional hooks before templating and before executing your main process.
- Execute your main program as a specific user or UID/GID.
All of this is controlled using environment variables (see below) and an assets directory (default /opt/smartentry/HEAD).
Minimal Dockerfile:
FROM debian:bookworm
COPY smartentry.sh /sbin/smartentry.sh
ENV ASSETS_DIR=/opt/smartentry/HEAD
ENTRYPOINT ["/sbin/smartentry.sh"]
CMD ["run"]Example assets mounted or baked into the image:
/opt/smartentry/HEAD/
env
rootfs/
etc/myapp/config.yaml # may contain {{MYAPP_PORT}}
run # executable main program
pre-entry.sh # optional
pre-run # optional
patch/ # optional (runtime or build-time)
volumes.list # optional
Run:
docker run --rm \
-e MYAPP_PORT=8080 \
-v $(pwd)/assets:/opt/smartentry/HEAD \
smartentry/debian:bookwormThis repository publishes pre-built images via GitHub Actions (see .github/workflows/build.yml). Images are tagged as smartentry/<base>:<tag> (e.g., smartentry/debian:bookworm) and are rebuilt when upstream tags update. These images include smartentry.sh as the entrypoint and are suitable for direct use with an ASSETS_DIR volume.
env: environment configuration (see next sections)rootfs/: template tree copied to/(with templating)patch/: unified diff files applied on top of/(build-time or runtime)pre-entry.sh: sourced prior to templatingpre-run: executed just before the main programrun: main program invoked byCMD ["run"]volumes.list: newline-separated list of paths to archive/restore- Generated at build-time (optional):
checklist.md5: checksum list used to preserve user editschmod.list: captured file mode and ownership datavolumes.tar: archive of listed volumes
Default base path is ASSETS_DIR=/opt/smartentry/HEAD (configurable).
Smartentry supports two entry modes:
-
Build-mode:
smartentry.sh build- Optionally generate
checklist.md5from existing target files to preserve user modifications - Capture
chmod.listwhenENABLE_CHMOD_AUTO_FIX=true - Apply build-time patching (
PATCH_MODE=buildtime) - Append paths from
volumes.listtovolumes.tar
- Optionally generate
-
Run-mode (default):
smartentry.sh run [args...]orsmartentry.sh <command>- Detect first-run via
INITIALIZED_FLAG - Source
pre-entry.sh - Load/verify env, apply template (
rootfs/) and runtime patching - Initialize volumes and fix ownership if enabled
- Apply chmod/chown fixes from
chmod.list - Run
pre-run(if enabled), then exec the main program or supplied command
- Detect first-run via
BUILD_SCRIPT($ASSETS_DIR/build): optional script executed in build-mode before other steps.PRE_ENTRY_SCRIPT($ASSETS_DIR/pre-entry.sh): sourced at runtime before templating.PRE_RUN_SCRIPT($ASSETS_DIR/pre-run): executed just before main program.RUN_SCRIPT($ASSETS_DIR/run): main program when usingCMD ["run"].
Enable/disable with ENABLE_PRE_RUN_SCRIPT, etc. (see toggles below).
ENV_FILEdefaults to$ASSETS_DIR/env.- Lines with
KEY=VALUEexport variables (unlessENABLE_OVERRIDE_ENV=falseand the variable is already set in the environment). - Lines with just
KEYdeclare required variables. IfENABLE_MANDATORY_CHECK_ENV=true, Smartentry exits if any required variable is missing.
Tip: You can provide .env-style files via bind mount to $ASSETS_DIR/env.
-
Files copied from
rootfs/to/undergo string substitution: each{{VARNAME}}is replaced with the value of$VARNAME. -
Replacement is literal for
/to avoid breaking paths. -
Variables with no value are replaced by an empty string.
-
A helper script is provided to list variables referenced in templates:
tools/get_template_variable.sh /path/to/rootfs
-
Store GNU
patch-compatible diffs underpatch/, using destination paths relative to/. Smartentry runspatch <destination> <diff-file>for each file, so the diff must describe how to transform the existing destination file. -
Choose when to apply with
PATCH_MODE:buildtime: applied bysmartentry.sh buildruntime: applied on every container start
-
Example layout:
patch/ etc/myapp/config.yaml.diff usr/local/bin/tool.sh.patch -
To create a diff from a modified file:
diff -u /etc/myapp/config.yaml new-config.yaml > patch/etc/myapp/config.yaml.diff
- When
ENABLE_KEEP_USER_MODIFICATION=trueandchecklist.md5exists, Smartentry only overwrites a target file if its checksum still matches the recorded value (i.e., user has not modified it). New files are always created. - Generate
checklist.md5in build-mode: for each file underrootfs/, record the checksum of the destination path if it exists.
- List paths to persist in
volumes.list. Build-mode appends each tovolumes.tar. - On first run, if a listed path is empty or missing (or when
ENABLE_FORCE_INIT_VOLUMES_DATA=true), extract it fromvolumes.tar. - Ownership fixes for non-root users:
ENABLE_FIX_OWNER_OF_VOLUMES=truechanges the top-level path ownerENABLE_FIX_OWNER_OF_VOLUMES_DATA=truechanges ownership recursively
- If
ENABLE_CHMOD_AUTO_FIX=trueduring build-mode, Smartentry captures file mode, owner, group intochmod.listfor all files/dirs underrootfs/that exist at the destination. - At runtime with
ENABLE_CHMOD_FIX=true, it applies the recorded modes and ownership where paths exist.
You can run the main program as:
- A specific UID (
DOCKER_UID): Smartentry maps or creates a passwd entry. - A specific username (
DOCKER_USER): Smartentry resolves UID/GID. - Default: root (UID/GID 0).
DOCKER_HOME may be overridden; Smartentry updates /etc/passwd to reflect the new home for the chosen user.
Set ENABLE_UNSET_ENV_VARIBLES=true to clear the environment before executing the main program, preserving only TERM, PATH, HOME, and SHLVL.
Use this to reduce accidental leakage of build-time secrets into runtime.
| Variable | Default |
|---|---|
ASSETS_DIR |
/opt/smartentry/HEAD |
ENV_FILE |
$ASSETS_DIR/env |
ROOTFS_DIR |
$ASSETS_DIR/rootfs |
PATCH_DIR |
$ASSETS_DIR/patch |
PATCH_MODE |
buildtime (or runtime) |
CHECKLIST_FILE |
$ASSETS_DIR/checklist.md5 |
CHMOD_FILE |
$ASSETS_DIR/chmod.list |
RUN_SCRIPT |
$ASSETS_DIR/run |
BUILD_SCRIPT |
$ASSETS_DIR/build |
PRE_ENTRY_SCRIPT |
$ASSETS_DIR/pre-entry.sh |
PRE_RUN_SCRIPT |
$ASSETS_DIR/pre-run |
VOLUMES_LIST |
$ASSETS_DIR/volumes.list |
VOLUMES_ARCHIVE |
$ASSETS_DIR/volumes.tar |
INITIALIZED_FLAG |
/var/run/smartentry.initialized |
DOCKER_SHELL |
/bin/bash |
| Variable | Default |
|---|---|
ENABLE_OVERRIDE_ENV |
false |
ENABLE_KEEP_USER_MODIFICATION |
true |
ENABLE_CHMOD_AUTO_FIX |
true |
ENABLE_INIT_VOLUMES_DATA |
true |
ENABLE_ROOTFS |
true |
ENABLE_PATCH |
true |
ENABLE_CHMOD_FIX |
true |
ENABLE_UNSET_ENV_VARIBLES |
true |
ENABLE_PRE_RUN_SCRIPT |
true |
ENABLE_FORCE_INIT_VOLUMES_DATA |
false |
ENABLE_FIX_OWNER_OF_VOLUMES |
false |
ENABLE_FIX_OWNER_OF_VOLUMES_DATA |
false |
ENABLE_MANDATORY_CHECK_ENV |
true |
| Variable |
|---|
DOCKER_UID |
DOCKER_GID |
DOCKER_USER |
DOCKER_HOME |
- Browse real-world usages of Smartentry images: GitHub search
For repository maintainers, a small Python helper (smartentry-build) orchestrates differential multi-arch builds in CI. It is used by the GitHub Action defined in .github/workflows/build.yml. End-users of smartentry.sh do not need this helper.
MIT License. See LICENSE.