mat2-web merge requestshttps://0xacab.org/jvoisin/mat2-web/-/merge_requests2020-05-09T19:28:12Zhttps://0xacab.org/jvoisin/mat2-web/-/merge_requests/30Container hardening2020-05-09T19:28:12ZjfriedliContainer hardeningI talked to Immerda and they run containers using podman (rootless). To prepare for such a deployment we have to lock down the containers as good as possible.
Closes #40
Closes #37
Closes #38
* [x] #41 Zip uploads failing....I talked to Immerda and they run containers using podman (rootless). To prepare for such a deployment we have to lock down the containers as good as possible.
Closes #40
Closes #37
Closes #38
* [x] #41 Zip uploads failing. Seems to be true for files that are not supprted...
* [x] The images from registry.0xacab.org/georg/mat2-ci-images:debian are not intended for prod use. Change it back to debian base.
* [x] Bubblewrap errors on uploading: `bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.` -> happens in combination with ` --security-opt=no-new-privileges`
* [x] Move uwsgi conf away from /tmp
* [x] Bubblewrap kills uploads: