Make (most) containers run with a read-only filesystem

2019-01-29 18:52:02 +02:00
parent b77b967171
commit 0be7b25c64
14 changed files with 49 additions and 14 deletions
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -44,7 +44,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:809
 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
 matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008"
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
-matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "25M"
+matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
+
+# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
+matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 50 }}"

 # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
 matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
@ -85,4 +88,4 @@ matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt

 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
-matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
+matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -116,7 +116,7 @@ server {
 		proxy_set_header X-Forwarded-For $remote_addr;

 		client_body_buffer_size 25M;
-		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size }};
+		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
 		proxy_max_temp_file_size 0;
 	}

--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@ -12,10 +12,13 @@ Wants={{ service }}
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
+
 ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-p 80:8080 \
 			-p 443:8443 \
@ -24,6 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \
 			-v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \
 			{{ matrix_nginx_proxy_docker_image }}
+
 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
 ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload