HomePhabricator
Diffusion Wikimedia Puppet 027447f35c0f

Allow optional firejail containment for nodejs services.
027447f35c0f
Actions

Description

Allow optional firejail containment for nodejs services.

This has been initially tested with mathoid and after we flip
the services one-by-one, the firejail conditional can be dropped,
making firejail the default for all future node services.

The current configuration runs every nodefs service an isolated
Linux namespace with

  • read-only system directories (like /usr or /lib)
  • private PID space
  • private /tmp (using tmpfs)
  • /root and /home/* blacklisted
  • reduced capabilities: CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN
  • filtered syscalls: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl,ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init kcmp

Bug: T101870
Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6

Details

Provenance
MuehlenhoffAuthored on
Parents
rOPUPef118bef3fc4: conftool: update etcd hosts list
Branches
Unknown
Tags
Unknown
ChangeId
I7e9c8d1c3f7d6655bba598938eba885210c9e9d6

Changes (2)

PathSize
modules/
service/
manifests/
templates/
node/

rOPUP027447f35c0f

View Options

modules/service/manifests/node.pp

Loading...
View Options

modules/service/templates/node/upstart.conf.erb

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL