diff options
author | Daniel Estermann <soundcracker@gmail.com> | 2021-06-07 17:54:24 +0300 |
---|---|---|
committer | Daniel Estermann <Daniel.Estermann@ti8m.ch> | 2021-06-09 12:04:11 +0300 |
commit | 56273e40459345534203433d02682c4539507c73 (patch) | |
tree | 05f8810cb84d23b448f65ab08d8431abd541d5a3 | |
parent | b741f846dc1b0886c8907906f8fcda2732a674c6 (diff) |
Include /etc/nsswitch.conf in chroot jail
Changelog: added
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | daemon.go | 9 |
2 files changed, 10 insertions, 3 deletions
@@ -92,7 +92,7 @@ as. The daemon starts listening on ports and reads certificates as root, then re-executes itself as the specified user. When re-executing it creates a chroot jail -containing a copy of its own binary, `/etc/hosts`, `/etc/resolv.conf`, and a bind mount of `pages-root`. +containing a copy of its own binary, `/etc/hosts`, `/etc/nsswitch.conf`, `/etc/resolv.conf`, and a bind mount of `pages-root`. When `-artifacts-server` points to an HTTPS URL we also need a list of certificates for the trusted Certification Authorities to copy inside the jail. @@ -110,7 +110,7 @@ $ sudo ./gitlab-pages -listen-http ":80" -pages-root path/to/gitlab/shared/pages #### Caveats -The `/etc/hosts` and `/etc/resolv.conf` files, and any file pointed to by the `SSL_CERT_FILE` +The `/etc/hosts`, `/etc/resolv.conf` and `/etc/nsswitch.conf` files, and any file pointed to by the `SSL_CERT_FILE` environment variable, will be copied into the jail. As a result, changes to these files will not be reflected in Pages until it's restarted. @@ -229,7 +229,7 @@ func jailCreate(cmd *exec.Cmd) (*jail.Jail, error) { return nil, err } - // Add /etc/resolv.conf and /etc/hosts inside the jail + // Add /etc/resolv.conf, /etc/hosts and /etc/nsswitch.conf inside the jail cage.MkDir("/etc", 0755) err = cage.Copy("/etc/resolv.conf") if err != nil { @@ -240,6 +240,13 @@ func jailCreate(cmd *exec.Cmd) (*jail.Jail, error) { return nil, err } + // When cgo is disabled, Go does not read `/etc/hosts` unless `/etc/nsswitch.conf` exists + // https://github.com/golang/go/issues/22846 + err = cage.Copy("/etc/nsswitch.conf") + if err != nil { + log.WithError(err).Warn("/etc/nsswitch.conf couldn't be copied to the jail, /etc/hosts might not be applicable") + } + // Add certificates inside the jail err = jailDaemonCerts(cmd, cage) if err != nil { |