Drop capabilities in a few more places

Continuation of 316d653d3e
This commit is contained in:
Slavi Pantaleev 2019-01-28 11:43:32 +02:00
parent 316d653d3e
commit 9438402f61
8 changed files with 13 additions and 2 deletions

View File

@ -20,6 +20,7 @@
--rm --rm
--name=matrix-certbot --name=matrix-certbot
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
-p 80:8080 -p 80:8080
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
@ -46,6 +47,7 @@
--rm --rm
--name=matrix-certbot --name=matrix-certbot
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
--network={{ matrix_docker_network }} --network={{ matrix_docker_network }}
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt

View File

@ -10,6 +10,7 @@ docker run \
--rm \ --rm \
--name=matrix-certbot \ --name=matrix-certbot \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network="{{ matrix_docker_network }}" \ --network="{{ matrix_docker_network }}" \
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \

View File

@ -61,6 +61,7 @@
matrix_postgres_import_command: >- matrix_postgres_import_command: >-
/usr/bin/docker run --rm --name matrix-postgres-import /usr/bin/docker run --rm --name matrix-postgres-import
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }} --network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
-v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro

View File

@ -79,11 +79,12 @@
detach: no detach: no
cleanup: yes cleanup: yes
entrypoint: /usr/local/bin/python entrypoint: /usr/local/bin/python
command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml" command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
cap_drop: ['all']
volumes: volumes:
- "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_config_dir_path }}:/data"
- "{{ matrix_synapse_run_path }}:/matrix-run" - "{{ matrix_synapse_run_path }}:/matrix-run"
- "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro" - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
networks: networks:
- name: "{{ matrix_docker_network }}" - name: "{{ matrix_docker_network }}"

View File

@ -106,6 +106,7 @@
command: | command: |
/usr/bin/docker run --rm --name matrix-postgres-import \ /usr/bin/docker run --rm --name matrix-postgres-import \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-v {{ postgres_dump_dir }}:/in:ro \ -v {{ postgres_dump_dir }}:/in:ro \

View File

@ -8,6 +8,8 @@ fi
docker run \ docker run \
-it \ -it \
--rm \ --rm \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \ --network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \ {{ matrix_postgres_docker_image_to_use }} \

View File

@ -3,6 +3,8 @@
docker run \ docker run \
-it \ -it \
--rm \ --rm \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \ --network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \ {{ matrix_postgres_docker_image_to_use }} \

View File

@ -41,6 +41,7 @@
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
SYNAPSE_REPORT_STATS: "no" SYNAPSE_REPORT_STATS: "no"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
cap_drop: ['all']
volumes: volumes:
- "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists" when: "not matrix_synapse_config_stat.stat.exists"