Drop NET_RAW from all containers in manual

#3377 drops NET_RAW from all containers, but this doesn't appear to have been adopted into the manual mode. Signed-off-by: Joshua Hesketh <josh@hesketh.net.au>
2025-12-20 06:26:57 +00:00 · 2024-01-26 15:35:24 +11:00 · 2024-01-26 15:35:24 +11:00 · 1e26613960
commit 1e26613960
parent 1cce2e535f
2 changed files with 75 additions and 3 deletions
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@ -45,6 +45,8 @@ services:
      - /usr/local/apache2/logs
      - /tmp
      - /home/www-data
    cap_drop:
      - NET_RAW
  nextcloud-aio-database:
    image: nextcloud/aio-postgresql:latest
@ -68,6 +70,8 @@ services:
    read_only: true
    tmpfs:
      - /var/run/postgresql
    cap_drop:
      - NET_RAW
  nextcloud-aio-nextcloud:
    depends_on:
@ -149,6 +153,8 @@ services:
    restart: unless-stopped
    networks:
      - nextcloud-aio
    cap_drop:
      - NET_RAW
  nextcloud-aio-notify-push:
    image: nextcloud/aio-notify-push:latest
@ -170,6 +176,8 @@ services:
    networks:
      - nextcloud-aio
    read_only: true
    cap_drop:
      - NET_RAW
  nextcloud-aio-redis:
    image: nextcloud/aio-redis:latest
@ -185,6 +193,8 @@ services:
    networks:
      - nextcloud-aio
    read_only: true
    cap_drop:
      - NET_RAW
  nextcloud-aio-collabora:
    image: nextcloud/aio-collabora:latest
@ -205,6 +215,8 @@ services:
      - nextcloud-aio
    cap_add:
      - MKNOD
    cap_drop:
      - NET_RAW
  nextcloud-aio-talk:
    image: nextcloud/aio-talk:latest
@ -234,6 +246,8 @@ services:
      - /opt/eturnal/run
      - /conf
      - /tmp
    cap_drop:
      - NET_RAW
  nextcloud-aio-talk-recording:
    image: nextcloud/aio-talk-recording:latest
@ -255,6 +269,8 @@ services:
    tmpfs:
      - /tmp
      - /conf
    cap_drop:
      - NET_RAW
  nextcloud-aio-clamav:
    image: nextcloud/aio-clamav:latest
@ -276,6 +292,8 @@ services:
      - /var/lock
      - /var/log/clamav
      - /tmp
    cap_drop:
      - NET_RAW
  nextcloud-aio-onlyoffice:
    image: nextcloud/aio-onlyoffice:latest
@ -294,6 +312,8 @@ services:
      - onlyoffice
    networks:
      - nextcloud-aio
    cap_drop:
      - NET_RAW
  nextcloud-aio-imaginary:
    image: nextcloud/aio-imaginary:latest
@ -305,6 +325,8 @@ services:
    restart: unless-stopped
    cap_add:
      - SYS_NICE
    cap_drop:
      - NET_RAW
    profiles:
      - imaginary
    networks:
@ -336,6 +358,8 @@ services:
      - fulltextsearch
    networks:
      - nextcloud-aio
    cap_drop:
      - NET_RAW
 volumes:
  nextcloud_aio_apache:
--- a/php/containers.json
+++ b/php/containers.json
@ -65,6 +65,9 @@
        "/usr/local/apache2/logs",
        "/tmp",
        "/home/www-data"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -112,6 +115,9 @@
      "read_only": true,
      "tmpfs": [
        "/var/run/postgresql"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -226,6 +232,9 @@
      ],
      "networks": [
        "nextcloud-aio"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -263,7 +272,10 @@
      "networks": [
        "nextcloud-aio"
      ],
-      "read_only": true
+      "read_only": true,
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
      "container_name": "nextcloud-aio-redis",
@ -295,7 +307,10 @@
      "networks": [
        "nextcloud-aio"
      ],
-      "read_only": true
+      "read_only": true,
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
      "container_name": "nextcloud-aio-collabora",
@ -328,6 +343,9 @@
      ],
      "cap_add": [
        "MKNOD"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -380,6 +398,9 @@
        "/opt/eturnal/run",
        "/conf",
        "/tmp"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -414,6 +435,9 @@
      "tmpfs": [
        "/tmp",
        "/conf"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -472,6 +496,9 @@
      "cap_add": [
        "SYS_ADMIN"
      ],
      "cap_drop": [
        "NET_RAW"
      ],
      "apparmor_unconfined": true,
      "read_only": true,
      "tmpfs": [
@ -494,7 +521,10 @@
          "writeable": false
        }
      ],
-      "read_only": true
+      "read_only": true,
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
      "container_name": "nextcloud-aio-domaincheck",
@ -521,6 +551,9 @@
      "tmpfs": [
        "/etc/lighttpd",
        "/var/www/domaincheck"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -556,6 +589,9 @@
        "/var/lock",
        "/var/log/clamav",
        "/tmp"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -594,6 +630,9 @@
      ],
      "networks": [
        "nextcloud-aio"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -613,6 +652,9 @@
      "cap_add": [
        "SYS_NICE"
      ],
      "cap_drop": [
        "NET_RAW"
      ],
      "profiles": [
        "imaginary"
      ],
@ -662,6 +704,9 @@
      ],
      "secrets": [
        "FULLTEXTSEARCH_PASSWORD"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    },
    {
@ -685,6 +730,9 @@
      "read_only": true,
      "tmpfs": [
        "/tmp"
      ],
      "cap_drop": [
        "NET_RAW"
      ]
    }
  ]