diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 334b048..2b6e84d 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -26,7 +26,3 @@ services: volumes: blaze-data: -# used in modules *-locator.yml -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/bbmri/modules/eric-compose.yml b/bbmri/modules/eric-compose.yml index 7fc0ef6..9ba6566 100644 --- a/bbmri/modules/eric-compose.yml +++ b/bbmri/modules/eric-compose.yml @@ -26,11 +26,11 @@ services: ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs ROOTCERT_FILE: /conf/root.crt.pem - secrets: - - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro diff --git a/bbmri/modules/exporter-compose.yml b/bbmri/modules/exporter-compose.yml index de2ef42..c5eb307 100644 --- a/bbmri/modules/exporter-compose.yml +++ b/bbmri/modules/exporter-compose.yml @@ -36,7 +36,7 @@ services: - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}" volumes: - - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output" + - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output:z" exporter-db: image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} @@ -47,7 +47,7 @@ services: POSTGRES_DB: "exporter" volumes: # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer. - - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data:Z" reporter: image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest @@ -69,7 +69,7 @@ services: # There is a risk that the bridgehead restarts, losing the already created export. volumes: - - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports" + - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports:z" labels: - "traefik.enable=true" - "traefik.http.routers.reporter_bbmri.rule=PathPrefix(`/bbmri-reporter`)" diff --git a/bbmri/modules/gbn-compose.yml b/bbmri/modules/gbn-compose.yml index 0fa7585..eba5428 100644 --- a/bbmri/modules/gbn-compose.yml +++ b/bbmri/modules/gbn-compose.yml @@ -26,11 +26,11 @@ services: ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs ROOTCERT_FILE: /conf/root.crt.pem - secrets: - - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/bbmri/modules/${GBN_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/bbmri/modules/${GBN_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro diff --git a/cce/docker-compose.yml b/cce/docker-compose.yml index 99039e7..78ad186 100644 --- a/cce/docker-compose.yml +++ b/cce/docker-compose.yml @@ -35,7 +35,7 @@ services: QUERIES_TO_CACHE: '/queries_to_cache.conf' ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} volumes: - - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro + - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro,Z depends_on: - "beam-proxy" - "blaze" @@ -57,12 +57,10 @@ services: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/cce/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/cce/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro volumes: blaze-data: - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/cce/modules/exporter-compose.yml b/cce/modules/exporter-compose.yml index af31465..8ecc87d 100644 --- a/cce/modules/exporter-compose.yml +++ b/cce/modules/exporter-compose.yml @@ -37,7 +37,7 @@ services: - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}" volumes: - - "/var/cache/bridgehead/cce/exporter-files:/app/exporter-files/output" + - "/var/cache/bridgehead/cce/exporter-files:/app/exporter-files/output:z" exporter-db: image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} @@ -48,7 +48,7 @@ services: POSTGRES_DB: "exporter" volumes: # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer. - - "/var/cache/bridgehead/cce/exporter-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/cce/exporter-db:/var/lib/postgresql/data:Z" reporter: image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest @@ -70,7 +70,7 @@ services: # There is a risk that the bridgehead restarts, losing the already created export. volumes: - - "/var/cache/bridgehead/cce/reporter-files:/app/reports" + - "/var/cache/bridgehead/cce/reporter-files:/app/reports:z" labels: - "traefik.enable=true" - "traefik.http.routers.reporter_cce.rule=PathPrefix(`/cce-reporter`)" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 030fcc1..fc5d63e 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -35,7 +35,7 @@ services: QUERIES_TO_CACHE: '/queries_to_cache.conf' ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} volumes: - - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro + - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro,Z depends_on: - "beam-proxy" - "blaze" @@ -57,11 +57,9 @@ services: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro volumes: blaze-data: - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 37b0442..3f984b1 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -35,10 +35,10 @@ services: BEAM_SECRET: ${TOKEN_MANAGER_SECRET} BEAM_DATASHIELD_PROXY: request-manager volumes: - - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv" # Opal metadata - secrets: - - opal-cert.pem - - opal-key.pem + - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv:Z" # Opal metadata + # secrets don't seem to allow us to specify Z/z + - /tmp/bridgehead/opal-cert.pem:/run/secrets/opal-cert.pem:z + - /tmp/bridgehead/opal-key.pem:/run/secrets/opal-key.pem:Z opal-db: container_name: bridgehead-opal-db @@ -48,7 +48,7 @@ services: POSTGRES_USER: "opal" POSTGRES_DB: "opal" volumes: - - "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data" # Opal project data (imported from exporter) + - "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data:Z" # Opal project data (imported from exporter) opal-rserver: container_name: bridgehead-opal-rserver @@ -67,20 +67,14 @@ services: DISCOVERY_URL: "./map/central.json" LOCAL_TARGETS_FILE: "./map/local.json" NO_AUTH: "true" - secrets: - - opal-cert.pem depends_on: - beam-proxy volumes: - - /tmp/bridgehead/opal-map/:/map/:ro + - /tmp/bridgehead/opal-map/:/map/:ro,Z + # secrets don't seem to allow us to specify Z/z + - /tmp/bridgehead/opal-cert.pem:/run/secrets/opal-cert.pem:z beam-proxy: environment: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} - -secrets: - opal-cert.pem: - file: /tmp/bridgehead/opal-cert.pem - opal-key.pem: - file: /tmp/bridgehead/opal-key.pem diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index 0ce7f74..3504824 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -25,7 +25,7 @@ services: volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro - - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro + - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro,Z labels: - "traefik.enable=true" - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)" diff --git a/ccp/modules/dnpm-node-compose.yml b/ccp/modules/dnpm-node-compose.yml index c1f7dde..99aa15e 100644 --- a/ccp/modules/dnpm-node-compose.yml +++ b/ccp/modules/dnpm-node-compose.yml @@ -12,13 +12,13 @@ services: MYSQL_ROOT_HOST: "%" MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD} volumes: - - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql + - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql:Z dnpm-authup: image: authup/authup:latest container_name: bridgehead-dnpm-authup volumes: - - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable + - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable:Z depends_on: dnpm-mysql: condition: service_healthy @@ -68,7 +68,7 @@ services: - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000 volumes: - /etc/bridgehead/dnpm/config:/dnpm_config - - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data + - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data:Z depends_on: dnpm-authup: condition: service_healthy diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index 10ae89f..eca9825 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -24,7 +24,7 @@ services: - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter" - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip" volumes: - - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output" + - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output:z" exporter-db: image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} @@ -35,7 +35,7 @@ services: POSTGRES_DB: "exporter" volumes: # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer. - - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data:Z" reporter: image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest @@ -57,7 +57,7 @@ services: # There is a risk that the bridgehead restarts, losing the already created export. volumes: - - "/var/cache/bridgehead/ccp/reporter-files:/app/reports" + - "/var/cache/bridgehead/ccp/reporter-files:/app/reports:z" labels: - "traefik.enable=true" - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)" diff --git a/ccp/modules/fhir2sql-compose.yml b/ccp/modules/fhir2sql-compose.yml index 1230e89..2dc86b0 100644 --- a/ccp/modules/fhir2sql-compose.yml +++ b/ccp/modules/fhir2sql-compose.yml @@ -22,8 +22,8 @@ services: POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh POSTGRES_DB: "dashboard" volumes: - - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data:Z" focus: environment: - POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard" \ No newline at end of file + POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard" diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 4e3e90a..f8e6ed0 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -62,7 +62,7 @@ services: volumes: - "patientlist-db-data:/var/lib/postgresql/data" # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!! - - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" + - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/:Z" traefik-forward-auth: image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 8f89449..4fa233c 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -32,8 +32,8 @@ services: - "traefik.http.routers.mtba_ccp.tls=true" volumes: - - /var/cache/bridgehead/ccp/mtba/input:/app/input - - /var/cache/bridgehead/ccp/mtba/persist:/app/persist + - /var/cache/bridgehead/ccp/mtba/input:/app/input:z + - /var/cache/bridgehead/ccp/mtba/persist:/app/persist:z # TODO: Include CBioPortal in Deployment ... # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted! diff --git a/dhki/docker-compose.yml b/dhki/docker-compose.yml index c8df043..31b6e55 100644 --- a/dhki/docker-compose.yml +++ b/dhki/docker-compose.yml @@ -33,7 +33,7 @@ services: EPSILON: 0.28 QUERIES_TO_CACHE: '/queries_to_cache.conf' volumes: - - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro + - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro,Z depends_on: - "beam-proxy" - "blaze" @@ -55,12 +55,10 @@ services: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/dhki/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/dhki/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro volumes: blaze-data: - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml index 18adb6f..8e7f0d8 100644 --- a/itcc/docker-compose.yml +++ b/itcc/docker-compose.yml @@ -35,7 +35,7 @@ services: QUERIES_TO_CACHE: '/queries_to_cache.conf' ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} volumes: - - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro + - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro,Z depends_on: - "beam-proxy" - "blaze" @@ -57,12 +57,10 @@ services: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro volumes: blaze-data: - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/kr/docker-compose.yml b/kr/docker-compose.yml index 2d5390a..66e71ee 100644 --- a/kr/docker-compose.yml +++ b/kr/docker-compose.yml @@ -56,12 +56,10 @@ services: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro volumes: blaze-data: - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/kr/modules/exporter-compose.yml b/kr/modules/exporter-compose.yml index d5eb227..ce3c67a 100644 --- a/kr/modules/exporter-compose.yml +++ b/kr/modules/exporter-compose.yml @@ -24,7 +24,7 @@ services: - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter" - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip" volumes: - - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output" + - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output:z" exporter-db: image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} @@ -35,7 +35,7 @@ services: POSTGRES_DB: "exporter" volumes: # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer. - - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data:Z" reporter: image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest @@ -57,7 +57,7 @@ services: # There is a risk that the bridgehead restarts, losing the already created export. volumes: - - "/var/cache/bridgehead/ccp/reporter-files:/app/reports" + - "/var/cache/bridgehead/ccp/reporter-files:/app/reports:z" labels: - "traefik.enable=true" - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)" diff --git a/kr/modules/teiler-compose.yml b/kr/modules/teiler-compose.yml index 25a3423..d47a8ea 100644 --- a/kr/modules/teiler-compose.yml +++ b/kr/modules/teiler-compose.yml @@ -71,9 +71,6 @@ services: HTTP_PROXY: "http://forward_proxy:3128" ENABLE_MTBA: "${ENABLE_MTBA}" ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}" - secrets: - - ccp.conf - -secrets: - ccp.conf: - file: /etc/bridgehead/ccp.conf + volumes: + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/ccp.conf:/run/secrets/ccp.conf:ro diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index c75e5de..344d120 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -28,6 +28,9 @@ services: security_opt: # allow access to the docker socket on systems with SELinux - "label:type:container_runtime_t" + cap_add: + # Allow binding to ports <1024 without root + - NET_BIND_SERVICE volumes: - /etc/bridgehead/traefik-tls:/certs:ro - ../lib/traefik-configuration/:/configuration:ro diff --git a/modules/ssh-tunnel-compose.yml b/modules/ssh-tunnel-compose.yml index 5ca9989..5750bf9 100644 --- a/modules/ssh-tunnel-compose.yml +++ b/modules/ssh-tunnel-compose.yml @@ -10,8 +10,4 @@ services: SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}" volumes: - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro" - secrets: - - privkey -secrets: - privkey: - file: /etc/bridgehead/pki/ssh-tunnel.priv.pem + - "/etc/bridgehead/pki/ssh-tunnel.priv.pem:/run/secrets/privkey:ro" diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml index d2027fb..beb2b64 100644 --- a/modules/transfair-compose.yml +++ b/modules/transfair-compose.yml @@ -27,7 +27,7 @@ services: - NO_PROXY=${TRANSFAIR_NO_PROXIES} - ALL_PROXY=http://forward_proxy:3128 volumes: - - /var/cache/bridgehead/${PROJECT}/transfair:/transfair + - /var/cache/bridgehead/${PROJECT}/transfair:/transfair:Z - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro labels: - "traefik.enable=true"