Merge 30a6c1e4d9 into e7e38cd57c

2025-12-16 11:07:30 +01:00 · 2025-02-04 15:49:44 +01:00
parent e7e38cd57c 30a6c1e4d9
commit fb59923c9d
5 changed files with 37 additions and 11 deletions
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@@ -25,6 +25,9 @@ services:
    ports:
      - 80:80
      - 443:443
+    security_opt:
+      # allow access to the docker socket on systems with SELinux
+      - "label:type:container_runtime_t"
    volumes:
      - /etc/bridgehead/traefik-tls:/certs:ro
      - ../lib/traefik-configuration/:/configuration:ro
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -12,13 +12,13 @@ services:
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
      ROOTCERT_FILE: ./conf/root.crt.pem
-    secrets:
-      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro,Z
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro

  dnpm-beam-connect:
    depends_on: [ dnpm-beam-proxy ]
@@ -41,7 +41,7 @@ services:
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro,Z
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
@@ -53,7 +53,3 @@ services:
  dnpm-echo:
    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
    container_name: bridgehead-dnpm-echo
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@@ -12,13 +12,13 @@ services:
      MYSQL_ROOT_HOST: "%"
      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
-      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
+      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql:Z

  dnpm-authup:
    image: authup/authup:latest
    container_name: bridgehead-dnpm-authup
    volumes:
-      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
+      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable:Z
    depends_on:
      dnpm-mysql:
        condition: service_healthy
@@ -68,7 +68,7 @@ services:
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
-      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data:Z
    depends_on:
      dnpm-authup:
        condition: service_healthy