From f221ab7655aec9e4c9b3df16759ac5c65d3b76cc Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 31 May 2023 12:00:44 +0200 Subject: [PATCH] add fail2ban as example container for testing purposes Signed-off-by: Simon L --- .github/workflows/json-validator.yml | 8 +++++++ community-containers/fail2ban/fail2ban.json | 26 +++++++++++++++++++++ community-containers/fail2ban/readme.md | 1 + community-containers/readme.md | 1 + php/containers-schema.json | 4 ++-- php/src/Docker/DockerActionManager.php | 4 +++- 6 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 community-containers/fail2ban/fail2ban.json create mode 100644 community-containers/fail2ban/readme.md create mode 100644 community-containers/readme.md diff --git a/.github/workflows/json-validator.yml b/.github/workflows/json-validator.yml index 7640c541..4a3967f9 100644 --- a/.github/workflows/json-validator.yml +++ b/.github/workflows/json-validator.yml @@ -23,3 +23,11 @@ jobs: sudo apt-get install python3-pip -y --no-install-recommends sudo pip3 install json-spec json validate --schema-file=php/containers-schema.json --document-file=php/containers.json + JSON_FILES="$(find ./community-containers -name '*.json')" + mapfile -t JSON_FILES <<< "$JSON_FILES" + for file in "${JSON_FILES[@]}"; do + json validate --schema-file=php/containers-schema.json --document-file="$file" | tee -a ./json-validator.log + done + if grep "Exception: document does not validate with schema." ./json-validator.log; then + exit 1 + fi diff --git a/community-containers/fail2ban/fail2ban.json b/community-containers/fail2ban/fail2ban.json new file mode 100644 index 00000000..af9c8eeb --- /dev/null +++ b/community-containers/fail2ban/fail2ban.json @@ -0,0 +1,26 @@ +{ + "aio_services_v1": [ + { + "container_name": "nextcloud-aio-fail2ban", + "display_name": "Fail2ban", + "image": "szaimen/aio-fail2ban", + "image_tag": "%AIO_CHANNEL%", + "internal_port": "host", + "restart": "unless-stopped", + "cap_add": [ + "NET_ADMIN", + "NET_RAW" + ], + "environment": [ + "TZ=%TIMEZONE%" + ], + "volumes": [ + { + "source": "nextcloud_aio_nextcloud", + "destination": "/nextcloud", + "writeable": false + } + ] + } + ] +} diff --git a/community-containers/fail2ban/readme.md b/community-containers/fail2ban/readme.md new file mode 100644 index 00000000..ef5ac7fd --- /dev/null +++ b/community-containers/fail2ban/readme.md @@ -0,0 +1 @@ +This is not working on Docker Desktop since it needs network_mode: host in order to work correctly. \ No newline at end of file diff --git a/community-containers/readme.md b/community-containers/readme.md new file mode 100644 index 00000000..19877266 --- /dev/null +++ b/community-containers/readme.md @@ -0,0 +1 @@ +## This is a WIP and not working yet! diff --git a/php/containers-schema.json b/php/containers-schema.json index 9a4fae30..1f549027 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -39,7 +39,7 @@ }, "display_name": { "type": "string", - "pattern": "^[A-Za-z ]+$" + "pattern": "^[A-Za-z 0-9]+$" }, "environment": { "type": "array", @@ -51,7 +51,7 @@ }, "container_name": { "type": "string", - "pattern": "^nextcloud-aio-[a-z-]+$" + "pattern": "^nextcloud-aio-[a-z-0-9]+$" }, "internal_port": { "type": "string", diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 738ae8b7..26cef960 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -477,7 +477,9 @@ class DockerActionManager } // Disable arp spoofing - $requestBody['HostConfig']['CapDrop'] = ['NET_RAW']; + if (!in_array('NET_RAW', $capAdds, true)) { + $requestBody['HostConfig']['CapDrop'] = ['NET_RAW']; + } if ($container->isApparmorUnconfined()) { $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];