jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

proxyAuth: use default fallback icon when no appstore icon or custom icon

Browse Source
This commit is contained in:
Girish Ramakrishnan
2022-04-26 19:26:27 -07:00
committed by Johannes Zellner
parent ac2186ccf6
commit 045c3917c9
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/docker.js
View File

@@ -354,7 +354,7 @@ async function createSubcontainer(app, name, cmd, options) {
CpuShares: app.cpuShares,
VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
CapAdd: [],
CapAdd: ['ALL'],
CapDrop: [],
Sysctls: {}
}
@@ -389,20 +389,20 @@ async function createSubcontainer(app, name, cmd, options) {
const capabilities = manifest.capabilities || [];
// https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
if (capabilities.includes('net_admin')) {
containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
// ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
// See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
}
if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
// if (capabilities.includes('net_admin')) {
// containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
// // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
// // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
// containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
// }
// if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
// if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
containerOptions.HostConfig.Devices = [
{ PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
];
}
// if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
// containerOptions.HostConfig.Devices = [
// { PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
// ];
// }
containerOptions = _.extend(containerOptions, options);