fickit/rsync: increase overall security
This commit is contained in:
parent
5e9e45da03
commit
5a144a26f9
|
@ -193,7 +193,7 @@ services:
|
|||
- /var/lib/fic/teams
|
||||
- /var/lib/fic/settings
|
||||
- name: fic-synchro
|
||||
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
|
||||
image: nemunaire/rsync:f8cc6e42fd8ae44d5b6e77fa71850e5cb36892a4
|
||||
command: ["/bin/ash", "/root/synchro.sh"]
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
|
@ -206,9 +206,6 @@ services:
|
|||
- /var/lib/fic/submissions:/srv/submissions
|
||||
- /var/lib/fic/teams:/srv/TEAMS:ro
|
||||
net: /run/netns/synchro
|
||||
pid: new
|
||||
ipc: new
|
||||
uts: new
|
||||
runtime:
|
||||
mkdir:
|
||||
- /var/lib/fic/files
|
||||
|
@ -217,13 +214,16 @@ services:
|
|||
- /var/lib/fic/submissions
|
||||
- /var/lib/fic/teams
|
||||
- name: sshd
|
||||
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
|
||||
image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
|
||||
- /root/.ssh/:/root/.ssh/:ro
|
||||
- /var/lib/fic/outofsync:/var/lib/fic/outofsync
|
||||
- /var/lib/fic/raw_files:/mnt/fic
|
||||
capabilities:
|
||||
- all
|
||||
net: /run/netns/fic-admin
|
||||
pid: host
|
||||
runtime:
|
||||
mkdir:
|
||||
- /var/lib/fic/outofsync
|
||||
|
|
|
@ -164,7 +164,9 @@ services:
|
|||
- /var/lib/fic/submissions
|
||||
- /var/lib/fic/teams
|
||||
- name: sshd
|
||||
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
|
||||
image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
|
||||
capabilities:
|
||||
- all
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro
|
||||
|
@ -174,9 +176,6 @@ services:
|
|||
- /var/lib/fic/submissions:/srv/submissions
|
||||
- /var/lib/fic/teams:/srv/TEAMS
|
||||
net: /run/netns/sshd
|
||||
pid: new
|
||||
ipc: new
|
||||
uts: new
|
||||
runtime:
|
||||
mkdir:
|
||||
- /var/lib/fic/files
|
||||
|
|
|
@ -23,4 +23,3 @@ COPY etc/ /etc/
|
|||
COPY usr/ /usr/
|
||||
RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
|
||||
CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
|
||||
LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'
|
||||
|
|
|
@ -1,2 +1,11 @@
|
|||
image: rsync
|
||||
network: true
|
||||
config:
|
||||
binds:
|
||||
- /root/.ssh:/root/.ssh
|
||||
- /etc/resolv.conf:/etc/resolv.conf
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
pid: new
|
||||
ipc: new
|
||||
uts: new
|
||||
|
|
Loading…
Reference in New Issue