eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-20 06:26:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

add apparmor_unconinfed to containers definition

Browse source 
Signed-off-by: Simon L <szaimen@e.mail.de>
This commit is contained in:
Simon L 2023-04-27 19:24:14 +02:00
parent 1118ba6764
commit eeeeb2f37b
5 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
php/containers-schema.json
View file

@ -88,6 +88,9 @@
"type": "string" "type": "string"
} }
}, },
"apparmor_unconfined": {
"type": "boolean"
},
"volumes": { "volumes": {
"type": "array", "type": "array",
"items": { "items": {

3
php/containers.json
View file

@ -323,7 +323,8 @@
], ],
"cap_add": [ "cap_add": [
"SYS_ADMIN" "SYS_ADMIN"
] ],
"apparmor_unconfined": true
}, },
{ {
"container_name": "nextcloud-aio-watchtower", "container_name": "nextcloud-aio-watchtower",

7
php/src/Container/Container.php
View file

@ -26,6 +26,7 @@ class Container {
/** @var string[] */ /** @var string[] */
private array $capAdd; private array $capAdd;
private int $shmSize; private int $shmSize;
private bool $apparmorUnconfined;
private DockerActionManager $dockerActionManager; private DockerActionManager $dockerActionManager;
public function __construct( public function __construct(
@ -43,6 +44,7 @@ class Container {
array $devices, array $devices,
array $capAdd, array $capAdd,
int $shmSize, int $shmSize,
bool $apparmorUnconfined,
DockerActionManager $dockerActionManager DockerActionManager $dockerActionManager
) { ) {
$this->identifier = $identifier; $this->identifier = $identifier;
@ -59,6 +61,7 @@ class Container {
$this->devices = $devices; $this->devices = $devices;
$this->capAdd = $capAdd; $this->capAdd = $capAdd;
$this->shmSize = $shmSize; $this->shmSize = $shmSize;
$this->apparmorUnconfined = $apparmorUnconfined;
$this->dockerActionManager = $dockerActionManager; $this->dockerActionManager = $dockerActionManager;
} }
@ -82,6 +85,10 @@ class Container {
return $this->shmSize; return $this->shmSize;
} }
public function isApparmorUnconfined() : bool {
return $this->apparmorUnconfined;
}
public function GetMaxShutdownTime() : int { public function GetMaxShutdownTime() : int {
return $this->maxShutdownTime; return $this->maxShutdownTime;
} }

6
php/src/ContainerDefinitionFetcher.php
View file

@ -223,6 +223,11 @@ class ContainerDefinitionFetcher
$shmSize = $entry['shm_size']; $shmSize = $entry['shm_size'];
} }
$apparmorUnconfined = false;
if (isset($entry['apparmor_unconfined'])) {
$apparmorUnconfined = $entry['apparmor_unconfined'];
}
$containers[] = new Container( $containers[] = new Container(
$entry['container_name'], $entry['container_name'],
$displayName, $displayName,
@ -238,6 +243,7 @@ class ContainerDefinitionFetcher
$devices, $devices,
$capAdd, $capAdd,
$shmSize, $shmSize,
$apparmorUnconfined,
$this->container->get(DockerActionManager::class) $this->container->get(DockerActionManager::class)
); );
} }

6
php/src/Docker/DockerActionManager.php
View file

@ -421,10 +421,12 @@ class DockerActionManager
$requestBody['HostConfig']['CapAdd'] = $capAdds; $requestBody['HostConfig']['CapAdd'] = $capAdds;
} }
if ($container->isApparmorUnconfined()) {
$requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
}
// Special things for the backup container which should not be exposed in the containers.json // Special things for the backup container which should not be exposed in the containers.json
if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') { if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') {
$requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
// Additional backup directories // Additional backup directories
$mounts = []; $mounts = [];
foreach ($this->configurationManager->GetAdditionalBackupDirectoriesArray() as $additionalBackupDirectories) { foreach ($this->configurationManager->GetAdditionalBackupDirectoriesArray() as $additionalBackupDirectories) {