eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-20 06:26:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

collabora: load seccomp profile on the fly

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2025-10-16 10:59:17 +02:00
parent e614202a94
commit 4ba7f1ed64
7 changed files with 899 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
php/src/Data/DataConst.php
View file

@ -58,4 +58,8 @@ class DataConst {
public static function GetCommunityContainersDirectory() : string {
return realpath(__DIR__ . '/../../../community-containers/');
}
public static function GetCollaboraSeccompProfilePath() : string {
return realpath(__DIR__ . '/../cool-seccomp-profile.json');
}
}

18
php/src/Docker/DockerActionManager.php
View file

@ -7,6 +7,7 @@ use AIO\Container\ContainerState;
use AIO\Container\VersionState;
use AIO\ContainerDefinitionFetcher;
use AIO\Data\ConfigurationManager;
use AIO\Data\DataConst;
use GuzzleHttp\Client;
use GuzzleHttp\Exception\RequestException;
use http\Env\Response;
@ -383,9 +384,10 @@ readonly class DockerActionManager {
}
}
}
// Special things for the talk container which should not be exposed in the containers.json
// Special things for the talk container which should not be exposed in the containers.json
} elseif ($container->GetIdentifier() === 'nextcloud-aio-talk') {
// This is needed due to a bug in libwebsockets which cannot handle unlimited ulimits
// This is needed due to a bug in libwebsockets used in Janus which cannot handle unlimited ulimits
$requestBody['HostConfig']['Ulimits'] = [["Name" => "nofile", "Hard" => 200000, "Soft" => 200000]];
// // Special things for the nextcloud container which should not be exposed in the containers.json
// } elseif ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
@ -395,11 +397,19 @@ readonly class DockerActionManager {
// }
// $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
// }
// Special things for the caddy community container
// Special things for the caddy community container
} elseif ($container->GetIdentifier() === 'nextcloud-aio-caddy') {
$requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway'];
// Special things for the collabora container which should not be exposed in the containers.json
// Special things for the collabora container which should not be exposed in the containers.json
} elseif ($container->GetIdentifier() === 'nextcloud-aio-collabora') {
// Load reference seccomp profile for collabora
$seccompProfile = file_get_contents(DataConst::GetCollaboraSeccompProfilePath());
$seccompProfile = addslashes($seccompProfile);
$requestBody['HostConfig']['SecurityOpt'] = ["label:disable", "seccomp=$seccompProfile", "no-new-privileges=true", "apparmor=unconfined"];
// Additional Collabora options
if ($this->configurationManager->GetAdditionalCollaboraOptions() !== '') {
$requestBody['Cmd'] = [$this->configurationManager->GetAdditionalCollaboraOptions()];
}