From 85b317842943e6659d0e1eeebc891f0a93a5c28b Mon Sep 17 00:00:00 2001 From: Ryan Kuba Date: Tue, 21 Sep 2021 12:54:23 -0700 Subject: [PATCH] add ability to set security options in the readme (#126) --- roles/generate-jenkins/defaults/main.yml | 4 +++ .../templates/DOCUMENTATION.j2 | 35 ++++++++++++++++++- roles/generate-jenkins/templates/README.j2 | 33 +++++++++++++++++ roles/generate-jenkins/templates/lite.j2 | 10 ++++++ vars/_container-vars-blank | 6 ++++ 5 files changed, 87 insertions(+), 1 deletion(-) diff --git a/roles/generate-jenkins/defaults/main.yml b/roles/generate-jenkins/defaults/main.yml index ddf304a7..49dd1b24 100644 --- a/roles/generate-jenkins/defaults/main.yml +++ b/roles/generate-jenkins/defaults/main.yml @@ -19,6 +19,10 @@ cap_add_param: false cap_add_param_vars: [] opt_cap_add_param: false opt_cap_add_param_vars: [] +security_opt_param: false +security_opt_param_vars: [] +opt_security_opt_param: false +opt_security_opt_param_vars: [] param_usage_include_hostname: false param_hostname: "" param_usage_include_env: false diff --git a/roles/generate-jenkins/templates/DOCUMENTATION.j2 b/roles/generate-jenkins/templates/DOCUMENTATION.j2 index 9151db45..cacec02f 100644 --- a/roles/generate-jenkins/templates/DOCUMENTATION.j2 +++ b/roles/generate-jenkins/templates/DOCUMENTATION.j2 @@ -102,6 +102,19 @@ services: - {{ item.cap_add_var }} #optional {% endfor %} {% endif %} +{% if security_opt_param or opt_security_opt_param %} + security_opt: +{% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} + - {{ item.compose_var }} +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} + - {{ item.compose_var }} #optional +{% endfor %} +{% endif %} {% if param_usage_include_net is sameas true %} network_mode: {{ param_net }} {% elif param_usage_include_net == 'optional' %} @@ -226,6 +239,16 @@ docker run -d \ --cap-add={{ item.cap_add_var }} `#optional` \ {% endfor %} {% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} + --security-opt={{ item.run_var }} \ +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} + --security-opt {{ item.run_var }} `#optional` \ +{% endfor %} +{% endif %} {% if common_param_env_vars_enabled is sameas true %} {% for item in common_param_env_vars %} -e {{ item.env_var }}={{ item.env_value }} \ @@ -384,7 +407,7 @@ Docker images are configured using parameters passed at runtime (such as those a {% endfor %} {% endif %} {% endif %} -{% if custom_params is defined or opt_custom_params is defined or param_usage_include_hostname %} +{% if custom_params is defined or opt_custom_params is defined or param_usage_include_hostname or security_opt_param is defined or opt_security_opt_param is defined %} #### Miscellaneous Options @@ -403,6 +426,16 @@ Docker images are configured using parameters passed at runtime (such as those a | `--{{ item.name }}=` | {{ item.desc }} | {% endfor %} {% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} +| `--security-opt {{ item.run_security_opt_var }}` | {{ item.desc }} | +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} +| `--security-opt {{ item.run_var }}` | {{ item.desc }} | +{% endfor %} +{% endif %} {% endif %} ## Environment variables from files (Docker secrets) diff --git a/roles/generate-jenkins/templates/README.j2 b/roles/generate-jenkins/templates/README.j2 index 10ea8c97..3b1a06b2 100644 --- a/roles/generate-jenkins/templates/README.j2 +++ b/roles/generate-jenkins/templates/README.j2 @@ -126,6 +126,19 @@ services: - {{ item.cap_add_var }} #optional {% endfor %} {% endif %} +{% if security_opt_param or opt_security_opt_param %} + security_opt: +{% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} + - {{ item.compose_var }} +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} + - {{ item.compose_var }} #optional +{% endfor %} +{% endif %} {% if param_usage_include_net is sameas true %} network_mode: {{ param_net }} {% elif param_usage_include_net == 'optional' %} @@ -250,6 +263,16 @@ docker run -d \ --cap-add={{ item.cap_add_var }} `#optional` \ {% endfor %} {% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} + --security-opt={{ item.run_var }} \ +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} + --security-opt {{ item.run_var }} `#optional` \ +{% endfor %} +{% endif %} {% if common_param_env_vars_enabled is sameas true %} {% for item in common_param_env_vars %} -e {{ item.env_var }}={{ item.env_value }} \ @@ -397,6 +420,16 @@ Container images are configured using parameters passed at runtime (such as thos | `--{{ item.name }}=` | {{ item.desc }} | {% endfor %} {% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} +| `--security-opt {{ item.run_security_opt_var }}` | {{ item.desc }} | +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} +| `--security-opt {{ item.run_var }}` | {{ item.desc }} | +{% endfor %} +{% endif %} ## Environment variables from files (Docker secrets) diff --git a/roles/generate-jenkins/templates/lite.j2 b/roles/generate-jenkins/templates/lite.j2 index db9d9e6a..eccf04a9 100644 --- a/roles/generate-jenkins/templates/lite.j2 +++ b/roles/generate-jenkins/templates/lite.j2 @@ -48,6 +48,16 @@ docker run -d \ --cap-add={{ item.cap_add_var }} `#optional` \ {% endfor %} {% endif %} +{% if security_opt_param %} +{% for item in security_opt_param_vars %} + --security-opt={{ item.run_var }} \ +{% endfor %} +{% endif %} +{% if opt_security_opt_param %} +{% for item in opt_security_opt_param_vars %} + --security-opt {{ item.run_var }} `#optional` \ +{% endfor %} +{% endif %} {% if common_param_env_vars_enabled is sameas true %} {% for item in common_param_env_vars %} -e {{ item.env_var }}={{ item.env_value }} \ diff --git a/vars/_container-vars-blank b/vars/_container-vars-blank index c2253482..8f595599 100644 --- a/vars/_container-vars-blank +++ b/vars/_container-vars-blank @@ -60,6 +60,9 @@ param_devices: cap_add_param: false cap_add_param_vars: - { cap_add_var: "NET_ADMIN" } +security_opt_param: false +security_opt_param_vars: + - { run_var: "seccomp=unconfined", compose_var: "seccomp:unconfined", desc: "Disabled syscall filtering" } # optional container parameters opt_param_usage_include_env: false @@ -77,6 +80,9 @@ opt_param_devices: opt_cap_add_param: false opt_cap_add_param_vars: - { cap_add_var: "NET_ADMIN" } +security_opt_param: false +security_opt_param_vars: + - { run_var: "seccomp=unconfined", compose_var: "seccomp:unconfined", desc: "Disabled syscall filtering" } # Unraid templating # Disables the sync function on unraids side. On by default