Container hardening
I talked to Immerda and they run containers using podman (rootless). To prepare for such a deployment we have to lock down the containers as good as possible.
Closes #40 (closed)
Closes #37 (closed)
Closes #38 (closed)
-
#41 (closed) Zip uploads failing. Seems to be true for files that are not supprted... -
The images from registry.0xacab.org/georg/mat2-ci-images:debian are not intended for prod use. Change it back to debian base. -
Bubblewrap errors on uploading: bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.-> happens in combination with--security-opt=no-new-privileges -
Move uwsgi conf away from /tmp -
Bubblewrap kills uploads:
Edited by jfriedli