fickit/rsync: increase overall security

2019-01-17 08:13:11 +01:00 · 2019-01-17 08:13:11 +01:00 · 5a144a26f9
parent 5e9e45da03
commit 5a144a26f9
4 changed files with 18 additions and 11 deletions
--- a/fickit-backend.yml
+++ b/fickit-backend.yml
@ -193,7 +193,7 @@ services:
        - /var/lib/fic/teams
        - /var/lib/fic/settings
  - name: fic-synchro
-    image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
+    image: nemunaire/rsync:f8cc6e42fd8ae44d5b6e77fa71850e5cb36892a4
    command: ["/bin/ash", "/root/synchro.sh"]
    binds:
      - /etc/hosts:/etc/hosts:ro
@ -206,9 +206,6 @@ services:
      - /var/lib/fic/submissions:/srv/submissions
      - /var/lib/fic/teams:/srv/TEAMS:ro
    net: /run/netns/synchro
-    pid: new
-    ipc: new
-    uts: new
    runtime:
      mkdir:
        - /var/lib/fic/files
@ -217,13 +214,16 @@ services:
        - /var/lib/fic/submissions
        - /var/lib/fic/teams
  - name: sshd
-    image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
+    image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
    binds:
      - /etc/hosts:/etc/hosts:ro
-      - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
+      - /root/.ssh/:/root/.ssh/:ro
      - /var/lib/fic/outofsync:/var/lib/fic/outofsync
      - /var/lib/fic/raw_files:/mnt/fic
+    capabilities:
+      - all
    net: /run/netns/fic-admin
+    pid: host
    runtime:
      mkdir:
        - /var/lib/fic/outofsync
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@ -164,7 +164,9 @@ services:
        - /var/lib/fic/submissions
        - /var/lib/fic/teams
  - name: sshd
-    image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
+    image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
+    capabilities:
+      - all
    binds:
      - /etc/hosts:/etc/hosts:ro
      - /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro
@ -174,9 +176,6 @@ services:
      - /var/lib/fic/submissions:/srv/submissions
      - /var/lib/fic/teams:/srv/TEAMS
    net: /run/netns/sshd
-    pid: new
-    ipc: new
-    uts: new
    runtime:
      mkdir:
        - /var/lib/fic/files
--- a/fickit-pkg/rsync/Dockerfile
+++ b/fickit-pkg/rsync/Dockerfile
@ -23,4 +23,3 @@ COPY etc/ /etc/
 COPY usr/ /usr/
 RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
 CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
-LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'
--- a/fickit-pkg/rsync/build.yml
+++ b/fickit-pkg/rsync/build.yml
@ -1,2 +1,11 @@
 image: rsync
 network: true
+config:
+  binds:
+    - /root/.ssh:/root/.ssh
+    - /etc/resolv.conf:/etc/resolv.conf
+  capabilities:
+    - CAP_NET_BIND_SERVICE
+  pid: new
+  ipc: new
+  uts: new