Make (most) containers run with a read-only filesystem

2019-01-29 18:52:02 +02:00
parent b77b967171
commit 0be7b25c64
14 changed files with 49 additions and 14 deletions
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -39,6 +39,9 @@ matrix_synapse_max_upload_size_mb: 10
 matrix_synapse_max_log_file_size_mb: 100
 matrix_synapse_max_log_files_count: 10

+# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
+matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}"
+
 # Log levels
 # Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
 # warning: setting log level to DEBUG will make synapse log sensitive information such
@ -187,4 +190,4 @@ matrix_mautrix_whatsapp_enabled: false

 matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"

-matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
+matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -18,11 +18,14 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse
 # we'd write files to the local filesystem and fusermount will complain.
 ExecStartPre=/bin/sleep 5
 {% endif %}
+
 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--entrypoint=python \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
 			{% if matrix_synapse_federation_enabled %}
@ -31,14 +34,15 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if matrix_synapse_container_expose_client_server_api_port %}
 			-p 127.0.0.1:8008:8008 \
 			{% endif %}
-			-v {{ matrix_synapse_config_dir_path }}:/data \
-			-v {{ matrix_synapse_run_path }}:/matrix-run \
+			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
+			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \
 			-v {{ matrix_synapse_base_path }}/storage:/matrix-media-store-parent:slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
 			{{ matrix_synapse_docker_image }} \
 			-m synapse.app.homeserver -c /data/homeserver.yaml
+
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse
 Restart=always