Make (most) containers run with a read-only filesystem

2019-01-29 18:52:02 +02:00
parent b77b967171
commit 0be7b25c64
14 changed files with 49 additions and 14 deletions
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -18,11 +18,14 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse
 # we'd write files to the local filesystem and fusermount will complain.
 ExecStartPre=/bin/sleep 5
 {% endif %}
+
 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--entrypoint=python \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
 			{% if matrix_synapse_federation_enabled %}
@ -31,14 +34,15 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if matrix_synapse_container_expose_client_server_api_port %}
 			-p 127.0.0.1:8008:8008 \
 			{% endif %}
-			-v {{ matrix_synapse_config_dir_path }}:/data \
-			-v {{ matrix_synapse_run_path }}:/matrix-run \
+			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
+			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \
 			-v {{ matrix_synapse_base_path }}/storage:/matrix-media-store-parent:slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
 			{{ matrix_synapse_docker_image }} \
 			-m synapse.app.homeserver -c /data/homeserver.yaml
+
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse
 Restart=always