Conversation
添加aria2b 分支,可屏蔽迅雷、qq旋风、影音先锋、百度网盘等吸血客户端`A2B=true`(集成自makeding/aria2b,感谢)
添加ENV `CRA2B=2h` 默认为2小时重启一次aria2b 可设置为1h到24h CRA2B=false则为禁用自动重启aria2b
Update install.sh
Update install.sh Update README.md Update Dockerfile
更换web服务器为caddy 更新ariang v1.3.9
This reverts commit 11e8dbe.
There was a problem hiding this comment.
Pull request overview
This pull request adds aria2b integration to block BitTorrent leechers (like Xunlei, QQ Xuanfeng, etc.) with automatic restart capabilities and various code improvements.
Changes:
- Adds aria2b service with configurable logging and periodic restart capability
- Updates Alpine base image from 3.21 to 3.22
- Implements disk space checking before file moves with fallback to failure directory
- Fixes shell script quoting issues and improves TASK_NAME extraction for single files
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 19 comments.
Show a summary per file
| File | Description |
|---|---|
| root/etc/services.d/aria2b/run | New service script for aria2b with conditional logging |
| root/etc/services.d/aria2/run | Fixed stderr redirection syntax and added trailing backslash |
| root/etc/cont-init.d/40-config | Added /www ownership change and cron-restart-a2b setup |
| root/etc/cont-init.d/30-config | Added trailing newline |
| root/aria2/script/tracker.sh | Consolidated ARIA2_CONF default value |
| root/aria2/script/stop.sh | Fixed quoting of dirname parameter |
| root/aria2/script/start.sh | Fixed quoting of dirname parameter |
| root/aria2/script/cron-restart-a2b.sh | New script to manage periodic aria2b restarts via cron |
| root/aria2/script/core | Added disk space validation, fixed variable quoting, improved TASK_NAME extraction |
| root/aria2/script/completed.sh | Fixed quoting of dirname parameter |
| root/aria2/conf/rpc-tracker0 | Removed 15-minute periodic task entry |
| Dockerfile | Updated Alpine to 3.22, added aria2b binary, added networking packages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| exec aria2b \ | ||
| -c "/config/aria2.conf" \ | ||
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" |
There was a problem hiding this comment.
The aria2b service runs with exec but lacks user context management. The aria2 service uses s6-setuidgid abc aria2c to run as the correct user. The aria2b service should follow the same pattern to ensure consistent file permissions and security context.
| echo "已移除现有的定时重启 aria2b 任务。" | ||
|
|
||
| # 设置新的 cron job,在每小时的整点执行重启 aria2b 进程的命令 | ||
| (crontab -l ; echo "0 */$HOURS * * * ps -ef | grep aria2b | grep -v grep | awk '{print \$2}' | xargs kill -9") | crontab - |
There was a problem hiding this comment.
The cron command is being added each time this script runs without checking if it already exists. Although there's a grep -v attempt to remove duplicates before adding, if the script is called multiple times in quick succession, it could result in duplicate cron entries. Consider adding a check to ensure the cron job doesn't already exist before adding it, or use a more robust method like maintaining a separate cron file.
| /aria2/script/* | ||
|
|
||
| # set cron-restart-a2b | ||
| bash /aria2/script/cron-restart-a2b.sh |
There was a problem hiding this comment.
The cron-restart-a2b.sh script is called directly with bash during container initialization (40-config runs before services start). However, this script modifies the crontab to kill aria2b processes. At this point during init, aria2b service hasn't started yet, so the cron job will be set up but aria2b won't exist to be killed. This seems intentional for setting up the periodic restart, but the error handling in the script should account for aria2b not running yet. Also, if the CRA2B environment variable changes on container restart, the old cron job may not be properly removed since the pattern might have changed.
| exec aria2b \ | ||
| -c "/config/aria2.conf" \ | ||
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" > /dev/null 2>&1 | ||
| else | ||
| # 分支二:启用 Aria2B,并显示日志(默认行为) | ||
| echo "信息:将启动 Aria2B 并显示其运行日志。" | ||
| echo "信息:(如需屏蔽日志,请设置环境变量 A2B_DISABLE_LOG=true)" | ||
| exec aria2b \ | ||
| -c "/config/aria2.conf" \ | ||
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" |
There was a problem hiding this comment.
The aria2b service requires access to /config/aria2.conf which may contain sensitive information like RPC secrets. The service is not running with s6-setuidgid abc (unlike the main aria2 service), which means it runs as root. This violates the principle of least privilege and increases security risk. If aria2b is compromised, it would have root access to the container. The service should be modified to run as user abc like the main aria2 service.
| exec aria2b \ | ||
| -c "/config/aria2.conf" \ | ||
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" > /dev/null 2>&1 |
There was a problem hiding this comment.
The aria2b process is being started with exec, but when logs are redirected to /dev/null in the disabled log branch, the process will exit if aria2b terminates. In a service supervisor like s6, services that exit will be restarted. However, without proper service lifecycle management (like using s6-setuidgid as seen in the aria2 service), this could lead to unexpected behavior. Consider using the same pattern as the aria2 service with s6-setuidgid abc to run the process as the correct user.
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" > /dev/null 2>&1 | ||
| else | ||
| # 分支二:启用 Aria2B,并显示日志(默认行为) | ||
| echo "信息:将启动 Aria2B 并显示其运行日志。" | ||
| echo "信息:(如需屏蔽日志,请设置环境变量 A2B_DISABLE_LOG=true)" | ||
| exec aria2b \ | ||
| -c "/config/aria2.conf" \ | ||
| -u "http://127.0.0.1:${PORT}/jsonrpc" \ | ||
| -s "${SECRET}" |
There was a problem hiding this comment.
The PORT and SECRET environment variables are used directly without validation or proper quoting. If these variables are not set or contain unexpected values, the aria2b command could fail or behave unexpectedly. While these are typically set in the Dockerfile defaults, add validation or use default values if they're empty to make the script more robust. For example: PORT=${PORT:-6800} and SECRET=${SECRET:-} at the beginning of the script.
| # 检查 CRA2B 的值是否为 "false" | ||
| if [ "$CRA2B_VALUE" = "false" ]; then | ||
| # 删除现有的 aria2b cron 任务 | ||
| (crontab -l | grep -v "ps -ef | grep aria2b | grep -v grep | awk '{print \$2}' | xargs kill -9") | crontab - |
There was a problem hiding this comment.
The cron command added to crontab uses kill -9 which will forcefully terminate aria2b. However, this approach has several issues: 1) aria2b is likely managed by s6 service supervisor which will automatically restart it, potentially creating a restart loop; 2) The process lookup using ps -ef | grep aria2b | grep -v grep is fragile and could match unintended processes. Consider coordinating with the s6 service supervisor instead, or document that aria2b service should be managed separately from this cron-based restart mechanism.
| LABEL maintainer="NG6" | ||
| ENV TZ=Asia/Shanghai UT=true SECRET=yourtoken CACHE=128M QUIET=true \ | ||
| SMD=true RUT=true PORT=6800 WEBUI=true WEBUI_PORT=8080 BTPORT=32516 \ | ||
| SMD=true RUT=true A2B=true CRA2B=2h \ |
There was a problem hiding this comment.
The default environment variable A2B=true means aria2b will be enabled by default for all users of this image. This is a significant change in behavior from previous versions where aria2b was opt-in. Users upgrading to this version may unexpectedly have aria2b enabled without explicitly requesting it. Consider whether the default should remain false for backward compatibility, or ensure this breaking change is clearly documented in release notes.
|
|
||
| # install | ||
| RUN apk add --no-cache darkhttpd curl jq findutils \ | ||
| RUN apk add --no-cache darkhttpd curl jq findutils iptables ip6tables ipset nodejs \ |
There was a problem hiding this comment.
Several new packages are being added (iptables, ip6tables, ipset, nodejs) which significantly increase the image size and attack surface. These packages are presumably required for aria2b functionality, but:
nodejsis a large runtime - verify it's actually needed by aria2biptables,ip6tables, andipsetrequire elevated privileges to function - ensure the security implications are documented- Consider whether these dependencies could be optional when A2B is disabled
This increases the image size substantially from the advertised "10.77 MB" mentioned in the README.
| && A2B_VER=$(wget -qO- https://api.github.com/repos/makeding/aria2b/tags | grep 'name' | cut -d\" -f4 | head -1 ) \ | ||
| && wget -P /tmp https://github.com/makeding/aria2b/releases/download/${A2B_VER}/aria2b \ |
There was a problem hiding this comment.
The Dockerfile is downloading and embedding the aria2b binary directly from a third-party GitHub repository using the latest tag (https://github.com/makeding/aria2b/releases/download/${A2B_VER}/aria2b) without pinning to an immutable identifier or verifying integrity. If the makeding/aria2b repo, its tags, or the download channel are compromised, a malicious binary could be transparently pulled into future image builds and executed inside containers with access to downloads and any in-container secrets.
To reduce supply-chain risk, pin aria2b to a specific immutable version (e.g., commit or release checksum) and verify its integrity (hash/signature) before installing it into the image.
No description provided.