mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-27 03:18:31 +01:00
316d653d3e
We run containers as a non-root user (no effective capabilities). Still, if a setuid binary is available in a container image, it could potentially be used to give the user the default capabilities that the container was started with. For Docker, the default set currently is: - "CAP_CHOWN" - "CAP_DAC_OVERRIDE" - "CAP_FSETID" - "CAP_FOWNER" - "CAP_MKNOD" - "CAP_NET_RAW" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SETFCAP" - "CAP_SETPCAP" - "CAP_NET_BIND_SERVICE" - "CAP_SYS_CHROOT" - "CAP_KILL" - "CAP_AUDIT_WRITE" We'd rather prevent such a potential escalation by dropping ALL capabilities. The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
26 lines
784 B
Django/Jinja
26 lines
784 B
Django/Jinja
[Unit]
|
|
Description=Matrix Postgres server
|
|
After=docker.service
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStartPre=-/usr/bin/docker stop matrix-postgres
|
|
ExecStartPre=-/usr/bin/docker rm matrix-postgres
|
|
ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
|
|
--log-driver=none \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--cap-drop=ALL \
|
|
--network={{ matrix_docker_network }} \
|
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-server \
|
|
-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \
|
|
-v /etc/passwd:/etc/passwd:ro \
|
|
{{ matrix_postgres_docker_image_to_use }}
|
|
ExecStop=-/usr/bin/docker stop matrix-postgres
|
|
ExecStop=-/usr/bin/docker rm matrix-postgres
|
|
Restart=always
|
|
RestartSec=30
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|