Add LDAP_BIND_DN and LDAP_BIND_PASSWORD that allow
apps to bind before a search. There appear to be two kinds of
ldap flows:
1. App simply binds using cn=<username>,$LDAP_USERS_BASE_DN. This
works swimmingly today.
2. App searches the username under a "bind_dn" using some admin
credentials. It takes the result and uses the first dn in the
result as the user dn. It then binds as step 1.
This commit tries to help out the case 2) apps. These apps really
insist on having some credentials for searching.
The backup cron job ensures backups every 4 hours which simply does
a 'box' backup listing. If we do only a 'box' backup during update,
this means that this cron job skips doing a backup and thus the apps
are not backed up.
This results in the janitor on the CaaS side complaining that the
app backups are too old.
Since we don't stop apps anymore during updates, it makes sense
to simply backup everything for updates as well. This is probably
what the user wants anyway.
Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker.
This profile gets overwritten on every docker daemon start.
This profile allows processes to ptrace themselves. This is required by
circus (python process manager) for reasons unknown to me. It floods the logs
with
audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default"
This is easily tested using:
docker run -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) journalctl should show error log as above
docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) no error!
Note that despite this, the process may not have ability to ptrace since it does not
have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file)
and not the filename.
References:
https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCywhttps://github.com/docker/docker/issues/7276https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869
This is an infra update because we need to recreate containers to get the right profile.
Fixes#492
Johannes Zellner