fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

fickit/rsync: increase overall security

Browse source
This commit is contained in:
nemunaire 2019-01-17 08:13:11 +01:00
parent 5e9e45da03
commit 5a144a26f9
4 changed files with 18 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

12
fickit-backend.yml
View file

@ -193,7 +193,7 @@ services:
- /var/lib/fic/teams - /var/lib/fic/teams
- /var/lib/fic/settings - /var/lib/fic/settings
- name: fic-synchro - name: fic-synchro
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 image: nemunaire/rsync:f8cc6e42fd8ae44d5b6e77fa71850e5cb36892a4
command: ["/bin/ash", "/root/synchro.sh"] command: ["/bin/ash", "/root/synchro.sh"]
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
@ -206,9 +206,6 @@ services:
- /var/lib/fic/submissions:/srv/submissions - /var/lib/fic/submissions:/srv/submissions
- /var/lib/fic/teams:/srv/TEAMS:ro - /var/lib/fic/teams:/srv/TEAMS:ro
net: /run/netns/synchro net: /run/netns/synchro
pid: new
ipc: new
uts: new
runtime: runtime:
mkdir: mkdir:
- /var/lib/fic/files - /var/lib/fic/files
@ -217,13 +214,16 @@ services:
- /var/lib/fic/submissions - /var/lib/fic/submissions
- /var/lib/fic/teams - /var/lib/fic/teams
- name: sshd - name: sshd
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro - /root/.ssh/:/root/.ssh/:ro
- /var/lib/fic/outofsync:/var/lib/fic/outofsync - /var/lib/fic/outofsync:/var/lib/fic/outofsync
- /var/lib/fic/raw_files:/mnt/fic - /var/lib/fic/raw_files:/mnt/fic
capabilities:
- all
net: /run/netns/fic-admin net: /run/netns/fic-admin
pid: host
runtime: runtime:
mkdir: mkdir:
- /var/lib/fic/outofsync - /var/lib/fic/outofsync

7
fickit-frontend.yml
View file

@ -164,7 +164,9 @@ services:
- /var/lib/fic/submissions - /var/lib/fic/submissions
- /var/lib/fic/teams - /var/lib/fic/teams
- name: sshd - name: sshd
image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05 image: nemunaire/rsync:ca312b09a5048c165cf727660b7755f001d17650
capabilities:
- all
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro - /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro
@ -174,9 +176,6 @@ services:
- /var/lib/fic/submissions:/srv/submissions - /var/lib/fic/submissions:/srv/submissions
- /var/lib/fic/teams:/srv/TEAMS - /var/lib/fic/teams:/srv/TEAMS
net: /run/netns/sshd net: /run/netns/sshd
pid: new
ipc: new
uts: new
runtime: runtime:
mkdir: mkdir:
- /var/lib/fic/files - /var/lib/fic/files

1
fickit-pkg/rsync/Dockerfile
View file

@ -23,4 +23,3 @@ COPY etc/ /etc/
COPY usr/ /usr/ COPY usr/ /usr/
RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
CMD ["/sbin/tini", "/usr/bin/ssh.sh"] CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'

9
fickit-pkg/rsync/build.yml
View file

@ -1,2 +1,11 @@
image: rsync image: rsync
network: true network: true
config:
binds:
- /root/.ssh:/root/.ssh
- /etc/resolv.conf:/etc/resolv.conf
capabilities:
- CAP_NET_BIND_SERVICE
pid: new
ipc: new
uts: new