diff options
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | daemon.go | 29 |
2 files changed, 23 insertions, 10 deletions
@@ -96,7 +96,7 @@ as. The daemon starts listening on ports and reads certificates as root, then re-executes itself as the specified user. When re-executing it creates a chroot jail -containing a copy of its own binary, `/etc/resolv.conf`, and a bind mount of `pages-root`. +containing a copy of its own binary, `/etc/hosts`, `/etc/resolv.conf`, and a bind mount of `pages-root`. When `-artifacts-server` points to an HTTPS URL we also need a list of certificates for the trusted Certification Authorities to copy inside the jail. @@ -114,7 +114,7 @@ $ sudo ./gitlab-pages -listen-http ":80" -pages-root path/to/gitlab/shared/pages #### Caveats -The `/etc/resolv.conf` file, and any file pointed to by the `SSL_CERT_FILE` +The `/etc/hosts` and `/etc/resolv.conf` files, and any file pointed to by the `SSL_CERT_FILE` environment variable, will be copied into the jail. As a result, changes to these files will not be reflected in Pages until it's restarted. @@ -209,14 +209,9 @@ func jailDaemonCerts(cmd *exec.Cmd, cage *jail.Jail) error { return nil } -func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { +func jailCreate(cmd *exec.Cmd) (*jail.Jail, error) { cage := jail.CreateTimestamped("gitlab-pages", 0755) - wd, err := os.Getwd() - if err != nil { - return nil, err - } - // Add /dev/urandom and /dev/random inside the jail. This is required to // support Linux versions < 3.17, which do not have the getrandom() syscall cage.MkDir("/dev", 0755) @@ -229,17 +224,21 @@ func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { } // Add gitlab-pages inside the jail - err = cage.CopyTo("/gitlab-pages", cmd.Path) + err := cage.CopyTo("/gitlab-pages", cmd.Path) if err != nil { return nil, err } - // Add /etc/resolv.conf inside the jail + // Add /etc/resolv.conf and /etc/hosts inside the jail cage.MkDir("/etc", 0755) err = cage.Copy("/etc/resolv.conf") if err != nil { return nil, err } + err = cage.Copy("/etc/hosts") + if err != nil { + return nil, err + } // Add certificates inside the jail err = jailDaemonCerts(cmd, cage) @@ -247,6 +246,20 @@ func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { return nil, err } + return cage, nil +} + +func jailDaemon(cmd *exec.Cmd) (*jail.Jail, error) { + cage, err := jailCreate(cmd) + if err != nil { + return nil, err + } + + wd, err := os.Getwd() + if err != nil { + return nil, err + } + // Bind mount shared folder cage.MkDir(pagesRootInChroot, 0755) cage.Bind(pagesRootInChroot, wd) |