-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change modsecurity directories #2660
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2660 +/- ##
=========================================
+ Coverage 40.84% 40.9% +0.05%
=========================================
Files 72 72
Lines 5073 5073
=========================================
+ Hits 2072 2075 +3
+ Misses 2718 2716 -2
+ Partials 283 282 -1
Continue to review full report at Codecov.
|
rootfs/Dockerfile
Outdated
@@ -37,6 +37,13 @@ RUN setcap cap_net_bind_service=+ep /usr/sbin/nginx \ | |||
RUN mkdir -p /etc/ingress-controller/ssl /etc/ingress-controller/auth \ | |||
&& chown -R www-data.www-data /etc/nginx /etc/ingress-controller | |||
|
|||
RUN mkdir -p /tmp/modsecurity/audit /tmp/modsecurity/upload \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this seems to be a recurring problem and probably not the last time permissions have to be adjusted, I'd be in favor of declaring an array of all directories used by the controller and applying ownership in one go. This mix and match of chown and file sed'ing feels suboptimal and prone to errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree but we have a problem, some or most of the directories are located in the parent image or even worse in configuration files with some defaults. I don't see an easy way to tackle this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I persist in thinking defining an array in the Dockerfile instead of changing configs in place would be a good attempt at documenting what directories nginx/controller write to, at least.
Either that or move everything under /tmp.
None of these are ideal, but it would at least be consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
rootfs/Dockerfile
Outdated
&& sed -i 's|/var/log/modsec_audit.log|/tmp/modsec_audit.log|g' /etc/nginx/modsecurity/modsecurity.conf \ | ||
&& sed -i 's|/opt/modsecurity/var/log/debug.log|/tmp/debug.log|g' /etc/nginx/modsecurity/modsecurity.conf \ | ||
&& sed -i 's|/opt/modsecurity/var/upload|/tmp/modsecurity/upload|g' /etc/nginx/modsecurity/modsecurity.conf \ | ||
&& sed -i 's|/opt/modsecurity/var/audit|/tmp/modsecurity/audit|g' /etc/nginx/modsecurity/modsecurity.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these temporary files by definition (I have never used modsecurity)? If not can we create the modsecurity dedicated folder in user's home directory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All this directories are temporal
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, antoineco The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
Running as user prevents the start of modsecurity. Changing directories to fix this issue.