diff options
author | Alessio Caiazza <acaiazza@gitlab.com> | 2018-03-21 20:29:55 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-03-21 20:29:55 +0300 |
commit | 51f0df18e3d8dd5f1e0faeea3b2a41e6ff73f551 (patch) | |
tree | 8c222620310e6bb5a967f099314e40428e920c73 /README.md | |
parent | fe1561978ed164220e471129c9b2fa6b89d07992 (diff) |
Add /etc/resolv.conf and /etc/ssl/certs to pages chroot
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 11 |
1 files changed, 9 insertions, 2 deletions
@@ -89,8 +89,13 @@ To enter this mode, run `gitlab-pages` as the root user and pass it the as. The daemon starts listening on ports and reads certificates as root, then -re-executes itself as the specified user. When re-executing it copies its own -binary to `pages-root` and changes root to that directory. +re-executes itself as the specified user. When re-executing it creates a chroot jail +containing a copy of its own binary, `/etc/resolv.conf`, and a bind mount of `pages-root`. + +When `-artifacts-server` points to an HTTPS URL we also need a list of certificates for +the trusted Certification Authorities to copy inside the jail. +A file containing such list can be specified using `SSL_CERT_FILE` environment variable. +(`SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt` on Debian) This make it possible to listen on privileged ports and makes it harder for the process to read files outside of `pages-root`. @@ -101,6 +106,8 @@ $ make $ sudo ./gitlab-pages -listen-http ":80" -pages-root path/to/gitlab/shared/pages -pages-domain example.com -daemon-uid 1000 -daemon-gid 1000 ``` +Please note that changes to `/etc/resolv.conf` or `SSL_CERT_FILE` will be ignored by `gitlab-pages` until restarted. + ### Listen on multiple ports Each of the `listen-http`, `listen-https` and `listen-proxy` arguments can be |