From f221ab7655aec9e4c9b3df16759ac5c65d3b76cc Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 31 May 2023 12:00:44 +0200 Subject: [PATCH 1/3] add fail2ban as example container for testing purposes Signed-off-by: Simon L --- .github/workflows/json-validator.yml | 8 +++++++ community-containers/fail2ban/fail2ban.json | 26 +++++++++++++++++++++ community-containers/fail2ban/readme.md | 1 + community-containers/readme.md | 1 + php/containers-schema.json | 4 ++-- php/src/Docker/DockerActionManager.php | 4 +++- 6 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 community-containers/fail2ban/fail2ban.json create mode 100644 community-containers/fail2ban/readme.md create mode 100644 community-containers/readme.md diff --git a/.github/workflows/json-validator.yml b/.github/workflows/json-validator.yml index 7640c541fee..4a3967f9a7b 100644 --- a/.github/workflows/json-validator.yml +++ b/.github/workflows/json-validator.yml @@ -23,3 +23,11 @@ jobs: sudo apt-get install python3-pip -y --no-install-recommends sudo pip3 install json-spec json validate --schema-file=php/containers-schema.json --document-file=php/containers.json + JSON_FILES="$(find ./community-containers -name '*.json')" + mapfile -t JSON_FILES <<< "$JSON_FILES" + for file in "${JSON_FILES[@]}"; do + json validate --schema-file=php/containers-schema.json --document-file="$file" | tee -a ./json-validator.log + done + if grep "Exception: document does not validate with schema." ./json-validator.log; then + exit 1 + fi diff --git a/community-containers/fail2ban/fail2ban.json b/community-containers/fail2ban/fail2ban.json new file mode 100644 index 00000000000..af9c8eeb124 --- /dev/null +++ b/community-containers/fail2ban/fail2ban.json @@ -0,0 +1,26 @@ +{ + "aio_services_v1": [ + { + "container_name": "nextcloud-aio-fail2ban", + "display_name": "Fail2ban", + "image": "szaimen/aio-fail2ban", + "image_tag": "%AIO_CHANNEL%", + "internal_port": "host", + "restart": "unless-stopped", + "cap_add": [ + "NET_ADMIN", + "NET_RAW" + ], + "environment": [ + "TZ=%TIMEZONE%" + ], + "volumes": [ + { + "source": "nextcloud_aio_nextcloud", + "destination": "/nextcloud", + "writeable": false + } + ] + } + ] +} diff --git a/community-containers/fail2ban/readme.md b/community-containers/fail2ban/readme.md new file mode 100644 index 00000000000..ef5ac7fdafa --- /dev/null +++ b/community-containers/fail2ban/readme.md @@ -0,0 +1 @@ +This is not working on Docker Desktop since it needs network_mode: host in order to work correctly. \ No newline at end of file diff --git a/community-containers/readme.md b/community-containers/readme.md new file mode 100644 index 00000000000..1987726698d --- /dev/null +++ b/community-containers/readme.md @@ -0,0 +1 @@ +## This is a WIP and not working yet! diff --git a/php/containers-schema.json b/php/containers-schema.json index 9a4fae302e6..1f549027888 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -39,7 +39,7 @@ }, "display_name": { "type": "string", - "pattern": "^[A-Za-z ]+$" + "pattern": "^[A-Za-z 0-9]+$" }, "environment": { "type": "array", @@ -51,7 +51,7 @@ }, "container_name": { "type": "string", - "pattern": "^nextcloud-aio-[a-z-]+$" + "pattern": "^nextcloud-aio-[a-z-0-9]+$" }, "internal_port": { "type": "string", diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 738ae8b71d8..26cef960837 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -477,7 +477,9 @@ public function CreateContainer(Container $container) : void { } // Disable arp spoofing - $requestBody['HostConfig']['CapDrop'] = ['NET_RAW']; + if (!in_array('NET_RAW', $capAdds, true)) { + $requestBody['HostConfig']['CapDrop'] = ['NET_RAW']; + } if ($container->isApparmorUnconfined()) { $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"]; From ca3466759fb6af1f69a4da97a53f04db0cff1901 Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 27 Sep 2023 16:29:20 +0200 Subject: [PATCH 2/3] add community-container validator Signed-off-by: Simon L --- .github/workflows/community-containers.yml | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/community-containers.yml diff --git a/.github/workflows/community-containers.yml b/.github/workflows/community-containers.yml new file mode 100644 index 00000000000..2df5173d763 --- /dev/null +++ b/.github/workflows/community-containers.yml @@ -0,0 +1,37 @@ +name: Validate community containers + +on: + pull_request: + paths: + - 'community-containers/**' + push: + branches: + - main + paths: + - 'community-containers/**' + +jobs: + validator-community-containers: + name: Validate community containers + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Validate structure + run: | + CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)" + mapfile -t CONTAINERS <<< "$CONTAINERS" + for container in "${CONTAINERS[@]}"; do + container="$(echo "$container" | sed 's|./community-containers/||')" + if ! [ -f ./community-containers/"$container"/"$container.json" ]; then + echo ".json file must be named like its parent folder $container" + FAIL=1 + fi + if ! [ -f ./community-containers/"$container"/readme.md ]; then + echo "There must be a readme.md file in the folder!" + FAIL=1 + fi + if [ -n "$FAIL" ]; then + exit 1 + fi + done From 7661b9fb3a99f1c6ed3ed6e74b5e4b113c078c99 Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 27 Sep 2023 16:40:18 +0200 Subject: [PATCH 3/3] address review Signed-off-by: Simon L Co-authored-by: Zoey Signed-off-by: Simon L. --- php/containers-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/containers-schema.json b/php/containers-schema.json index 1f549027888..d82338c8697 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -51,7 +51,7 @@ }, "container_name": { "type": "string", - "pattern": "^nextcloud-aio-[a-z-0-9]+$" + "pattern": "^nextcloud-aio-[a-z0-9-]+$" }, "internal_port": { "type": "string",