Run container unprivileged by default using a macvlan
This commit is contained in:
Josh.5
@@ -4,28 +4,44 @@ services:
|
||||
image: josh5/steam-headless:latest
|
||||
restart: unless-stopped
|
||||
runtime: ${DOCKER_RUNTIME}
|
||||
## NOTE: Requires privileged access to host to be able to access the required devices
|
||||
privileged: true
|
||||
shm_size: ${SHM_SIZE}
|
||||
ipc: host # Could also be set to 'shareable'
|
||||
ulimits:
|
||||
nofile:
|
||||
soft: 1024
|
||||
hard: 524288
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- SYS_ADMIN
|
||||
- SYS_NICE
|
||||
security_opt:
|
||||
- seccomp:unconfined
|
||||
- apparmor:unconfined
|
||||
|
||||
# NETWORK:
|
||||
## NOTE: Steam headless always requires the use of the host network.
|
||||
## If we do not use the host network, then device input is not possible
|
||||
## and your controllers will not work in steam games.
|
||||
network_mode: host
|
||||
hostname: ${NAME}
|
||||
extra_hosts:
|
||||
- "${NAME}:127.0.0.1"
|
||||
networks:
|
||||
external-macvlan:
|
||||
ipv4_address: ${CONTAINER_IP_ADDRESS}
|
||||
|
||||
# ENVIRONMENT:
|
||||
## Read all config variables from the .env file
|
||||
env_file: .env
|
||||
|
||||
# DEVICES:
|
||||
devices:
|
||||
# Use the host fuse device.
|
||||
- /dev/fuse
|
||||
# Add the host uinput device.
|
||||
- /dev/uinput
|
||||
# Add AMD/Intel HW accelerated video encoding/decoding devices (optional)
|
||||
#- /dev/dri
|
||||
# Ensure container access to devices 13:*
|
||||
device_cgroup_rules:
|
||||
- 'c 13:* rmw'
|
||||
|
||||
# VOLUMES:
|
||||
volumes:
|
||||
# The location of your home directory.
|
||||
@@ -37,24 +53,28 @@ services:
|
||||
- /mnt/games/:/mnt/games/:rw
|
||||
|
||||
# The Xorg socket. This will be shared with other containers so they can access the X server.
|
||||
# Select only one option:
|
||||
# Select only one option or leave commented out to not share the Xorg socket with any other Docker containers.
|
||||
# Option #1) Start a X server in the container to share with any other containers.
|
||||
- /opt/container-data/steam-headless/.X11-unix/:/tmp/.X11-unix/:rw
|
||||
#- /opt/container-data/steam-headless/.X11-unix/:/tmp/.X11-unix/:rw
|
||||
# Option #2) Use an existing X server running on the host.
|
||||
#- /tmp/.X11-unix/:/tmp/.X11-unix/:rw
|
||||
|
||||
# Pulse audio socket. This will be shared with other containers so they can access the audio sink.
|
||||
- /opt/container-data/steam-headless/pulse/:/tmp/pulse/:rw
|
||||
# Leave commented out to not share the pulse socket with any other Docker containers.
|
||||
#- /opt/container-data/steam-headless/pulse/:/tmp/pulse/:rw
|
||||
|
||||
# Input devices used for mouse and joypad support inside the container.
|
||||
- /dev/input/:/dev/input/:ro
|
||||
|
||||
# Store dind var files in a volume.
|
||||
- steam-headless-var-lib-docker:/var/lib/docker/:rw
|
||||
# Host udev data required for input devices
|
||||
- /run/udev/data/:/run/udev/data/:ro
|
||||
|
||||
# Store flatpak var files in a volume.
|
||||
- steam-headless-var-lib-flatpak:/var/lib/flatpak/:rw
|
||||
|
||||
volumes:
|
||||
steam-headless-var-lib-docker:
|
||||
steam-headless-var-lib-flatpak:
|
||||
|
||||
networks:
|
||||
external-macvlan:
|
||||
external: true
|
||||
name: ${NETWORK_NAME}
|
||||
|
||||
Reference in New Issue
Block a user