Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop NET_RAW from all containers in manual #4116

Merged
merged 2 commits into from
Mar 1, 2024
Merged

Drop NET_RAW from all containers in manual #4116

merged 2 commits into from
Mar 1, 2024

Conversation

jhesketh
Copy link
Contributor

#3377 drops NET_RAW from all containers, but this doesn't appear to have been adopted into the manual mode.

@jhesketh
Copy link
Contributor Author

As an aside: Are there any checks to detect configuration drift from AIO and Manual modes? Perhaps a github check could help find these kind of bugs?

Also, I wonder if more capabilities could be dropped from all of the containers.

@szaimen szaimen added 3. to review Waiting for reviews enhancement New feature or request labels Jan 26, 2024
@szaimen szaimen modified the milestones: next, v7.11.2 Jan 26, 2024
@Zoey2936
Copy link
Collaborator

you need to add this to the https://github.com/nextcloud/all-in-one/blob/main/manual-install/update-yaml.sh, otherwise your changes will be overridden when the file is regenerated

@jhesketh
Drop NET_RAW from all containers in manual
1e26613 
nextcloud#3377 drops NET_RAW from all containers, but this doesn't
appear to have been adopted into the manual mode.

Signed-off-by: Joshua Hesketh <[email protected]>
@jhesketh
Copy link
Contributor Author

@Zoey2936 Just wondering if you could please take another look at this when you get a chance. Thanks!

@Zoey2936
Copy link
Collaborator

I still think it needs to be added to the update-yaml.sh, since the latest.yaml will be automatically overriden and if you add it to the containers.json the containers will get the value twice which could cause errors

@jhesketh
Copy link
Contributor Author

Right, I see, thanks.

Wouldn't it be better to have the capabilities listed in containers.json and drop modifying it from DockerActionManager.php?

Rationale:

  1. cap_add already exists in containers.json, meaning having cap_drop is more consistent
  2. If I'm reading it correctly, any cap_drop (regardless if it is NET_RAW or something else) would be removed because this line overwrites the cap_drop array instead of appending a specific term.

@Zoey2936
Copy link
Collaborator

Not sure @szaimen did this

@jhesketh
Copy link
Contributor Author

Looking a bit closer, it seems this is a little more non-trivial than I expected. Specifically cap_drop isn't supported in containers.json. It would need loading in ContainerDefinitionFetcher.php and passed into the Container() constructor.

All doable, and possibly the neater solution due to the above rationale, but more work than placing a sed into update-yaml.sh.

I'll await @szaimen's opinion before bothering to pipe it through the definition fetcher.

@szaimen
add it to jscon schema
20c3fbc 
Signed-off-by: Simon L <[email protected]>
szaimen
szaimen approved these changes Mar 1, 2024
View reviewed changes
Copy link
Collaborator

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@szaimen szaimen merged commit 112cc01 into nextcloud:main Mar 1, 2024
7 checks passed
@szaimen szaimen mentioned this pull request Nov 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szaimen szaimen szaimen approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jhesketh @Zoey2936 @szaimen