Commit 7088977a authored by mh's avatar mh
Browse files

let's enforce part of the important config for the container, while letting...

let's enforce part of the important config for the container, while letting upwards user still define some other aspects - + set containers to read-only by default
parent 87d09999
......@@ -73,16 +73,21 @@ define webhosting::container(
# we can't yet use keep-id on EL7 as we need cgroupv2 for
# that
if versioncmp($facts['os']['release']['major'],'8') < 0 {
$run_flags = {
$default_user_run_flags = {
'user' => '1000:0',
}
} else {
fail('validate to have cgroupv2')
$run_flags = {
$default_user_run_flags = {
'userns' => 'keep-id',
'user' => '1000:GID',
}
}
$default_run_flags = $default_user_run_flags + {
'security-opt-label-type' => 'httpd_container_rw_content',
'read-only' => true,
}
$user_container_config = pick($configuration['container_config'],{})
webhosting::common{$name:
ensure => $ensure,
uid => $real_uid,
......@@ -104,7 +109,7 @@ define webhosting::container(
user_scripts_options => $user_scripts_options,
configuration => $configuration + {
containers => {
$name => pick($configuration['container_config'],{}) + {
$name => {
ensure => $ensure,
user => $uid_name,
uid => $real_uid,
......@@ -118,10 +123,8 @@ define webhosting::container(
'security-opt-label-type' => 'socat_httpd_sidecar',
},
},
run_flags => $run_flags + {
'security-opt-label-type' => 'httpd_container_rw_content',
},
},
run_flags => pick($user_container_config['run_flags'],{}) + $default_run_flags,
} + $user_container_config,
},
},
} -> Service['apache']
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment