Commit Graph

26 Commits

Author SHA1 Message Date
Girish Ramakrishnan
bbd63b2c57 Prettify container.sh 2016-12-28 08:59:26 -08:00
Girish Ramakrishnan
b1854f82f2 prettify init base image script 2016-12-28 08:59:25 -08:00
Girish Ramakrishnan
61789e3fda Use the installer.sh from the source tarball
This redesigns how update works. installer.sh now rebuild the package,
stops the old code and starts the new code. Importantly, it does not
download the new package, this is left to the caller. cloudron-setup
downloads the code and calls installer.sh of the downloaded code.
Same goes for updater.sh. This means that installer.sh itself is now
easily updatable.

Part of #152
2016-12-28 08:59:07 -08:00
Girish Ramakrishnan
691f6c7c5c Use docker 1.12.5
Docker uses an embedded DNS server (127.0.0.11) for user defined networks (UDN).

With the latest releases of docker, specifying 127.0.0.1 as --dns makes the
containers resolve 127.0.0.1 _inside_ the container's networking namespace
(not sure how it worked before this).

The next idea was to only specify --dns-search=. but this does not work.
This makes docker setup the containers to use 127.0.0.1 (or 127.0.0.11 for UDN).
In my mind, the UDN case should work but doesn't (not sure why).

So, the solution is to simply go with no --dns or --dns-search. Sadly,
setting dns-search just at container level does not work either :/ Strangely,

    docker run --network=cloudron --dns-search=. appimage  # does not work

    docker run --network=cloudron appimage # works if you manually remove search from /etc/resolv.conf

So clearly, something inside docker triggers when one of the dns* options is set.

This means that #130 has to be fixed at app level (For Go, this means to use the cgo resolver).
2016-12-28 08:57:48 -08:00
Girish Ramakrishnan
91e4f6fcec Add CLOUDRON chain first
This allows us to not issue an 'upgrade' yet.

Part of #152
2016-12-28 08:57:38 -08:00
Girish Ramakrishnan
103019984b Move firewall setup to container.sh
Part of #152
2016-12-28 08:57:20 -08:00
Girish Ramakrishnan
01126aaeea move ssh configuration to container.sh
Note: appstore requires to be fixed to start the provisioning on port 22

Part of #152
2016-12-28 08:57:13 -08:00
Girish Ramakrishnan
a6ab8ff02f Mount the btrfs user home data in container.sh
This allows it to be configurable easily at some point

Part of #152
2016-12-28 08:56:55 -08:00
Girish Ramakrishnan
b89886a945 Move systemd service creation scripts to container.sh
Part of #152
2016-12-28 08:56:46 -08:00
Girish Ramakrishnan
d12b71f69c move journald configuration to container.sh
Part of #152
2016-12-28 08:56:06 -08:00
Girish Ramakrishnan
53c2ed3c82 configure time in container.sh 2016-12-28 08:55:56 -08:00
Girish Ramakrishnan
148c8e6250 Give user access to system logs in container.sh
Part of #152
2016-12-28 08:55:43 -08:00
Girish Ramakrishnan
ba90490ad9 Simply remove the old sudoers file that we installed
This is alternate fix to 743b8e757b
2016-01-05 20:24:05 -08:00
Johannes Zellner
59997560eb Do not remove all files from /etc/sudoers.d/
On DO with caas, there are no other files initially, but
on the ec2 ubuntu images, the files have set the rules for the
ubuntu user to be able to sudo without password, which we want to
keep
2016-01-05 17:06:01 +01:00
Johannes Zellner
eda4dc83a3 Do not fail in container.sh when trying to remove non-existing directories 2015-10-15 18:06:57 +02:00
Girish Ramakrishnan
5d389337cd make /var/log readonly
Expect apps to redirect logs of stdout/stderr

Part of #503
2015-10-15 00:46:50 -07:00
Girish Ramakrishnan
7f29eed326 fold janitor into main box code cron job
the volume cleaner will now also come into janitor
2015-10-14 22:39:34 -07:00
Girish Ramakrishnan
3fc0a96bb0 Add docker volumes janitor
This cleans up tmp and logrotates /var/log every 12 hours.

Note that this janitor is separate from the box janitor because they
run as different users.

Fixes #503
2015-10-14 14:18:36 -07:00
Girish Ramakrishnan
185b574bdc Add custom apparmor profile for cloudron apps
Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker.
This profile gets overwritten on every docker daemon start.

This profile allows processes to ptrace themselves. This is required by
circus (python process manager) for reasons unknown to me. It floods the logs
with
    audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default"

This is easily tested using:
    docker run -it cloudron/base:0.3.3 /bin/bash
        a) now do ps
        b) journalctl should show error log as above

    docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash
        a) now do ps
        b) no error!

Note that despite this, the process may not have ability to ptrace since it does not
have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file)
and not the filename.

References:
    https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCyw
    https://github.com/docker/docker/issues/7276
    https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869

This is an infra update because we need to recreate containers to get the right profile.

Fixes #492
2015-09-21 11:01:44 -07:00
Girish Ramakrishnan
e76584b0da Move from supervisor to systemd
This removes logrotate as well since we use systemd logging
2015-09-07 14:31:25 -07:00
Girish Ramakrishnan
d6a4ff23e2 restart mysql in start.sh and not container setup 2015-08-13 15:16:01 -07:00
Girish Ramakrishnan
c2ab7e2c1f restart collectd 2015-08-13 15:04:57 -07:00
Girish Ramakrishnan
9aad3688e1 Revert "Add hack to make graphs work with latest collectd"
This reverts commit a959418544.
2015-08-13 14:42:47 -07:00
Girish Ramakrishnan
22f65a9364 Add hack to make graphs work with latest collectd
For some reason df-vda1 is not being collected by carbon. I have tried
all sorts of things and nothing works. This is a hack to get it working.
2015-08-13 13:47:44 -07:00
Girish Ramakrishnan
81b7432044 Turn off performance_schema in mysql 5.6 2015-08-13 13:47:44 -07:00
Girish Ramakrishnan
df9d321ac3 app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:10:36 -07:00