From 77cd9df8f74273ac35a45bd186ef79c11b65f69f Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Fri, 18 May 2018 20:05:52 +0000 Subject: [PATCH] hardening --- docker/glutton/Dockerfile | 4 ++++ docker/glutton/docker-compose.yml | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docker/glutton/Dockerfile b/docker/glutton/Dockerfile index f204ae9e..4531dcaf 100644 --- a/docker/glutton/Dockerfile +++ b/docker/glutton/Dockerfile @@ -11,6 +11,7 @@ RUN apk -U --no-cache add \ g++ \ iptables-dev \ libnetfilter_queue-dev \ + libcap \ libpcap-dev && \ # Setup go, glutton @@ -26,6 +27,8 @@ RUN apk -U --no-cache add \ mv /opt/go/src/github.com/mushorg/glutton/bin /opt/glutton/ && \ mv /opt/go/src/github.com/mushorg/glutton/config /opt/glutton/ && \ mv /opt/go/src/github.com/mushorg/glutton/rules /opt/glutton/ && \ + setcap cap_net_admin,cap_net_raw=+ep /opt/glutton/bin/server && \ + setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-multi && \ # Setup user, groups and configs addgroup -g 2000 glutton && \ @@ -44,4 +47,5 @@ RUN apk -U --no-cache add \ # Start glutton WORKDIR /opt/glutton +USER glutton:glutton CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log diff --git a/docker/glutton/docker-compose.yml b/docker/glutton/docker-compose.yml index 3d05c4d0..5409feef 100644 --- a/docker/glutton/docker-compose.yml +++ b/docker/glutton/docker-compose.yml @@ -1,5 +1,4 @@ -# For docker-compose ... -version: '2.2' +version: '2.3' services: