jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add mlock capability to manifest (for vault app)

Browse Source
This commit is contained in:
Girish Ramakrishnan
2020-06-26 09:13:44 -07:00
parent a96da20536
commit 84f41e08cf
4 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/docker.js
View File

@@ -306,6 +306,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
Dns: ['172.18.0.1'], // use internal dns
DnsSearch: ['.'], // use internal dns
SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
CapAdd: [],
CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
},
NetworkingConfig: {
@@ -318,11 +319,8 @@ function createSubcontainer(app, name, cmd, options, callback) {
};
var capabilities = manifest.capabilities || [];
if (capabilities.includes('net_admin')) {
containerOptions.HostConfig.CapAdd = [
'NET_ADMIN', 'NET_RAW'
];
}
if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
containerOptions = _.extend(containerOptions, options);