First security update in 3ys

Switch Docker container to run as unprivileged user (nobody), switch seccomp to DENY by default, deny clone as we are running in an environment without cgroups. Remove old deployments infrastructure.
rapidlua · Oct 8, 2022 · a5a5c5f · a5a5c5f
1 parent ecc2fb0
commit a5a5c5f
Show file tree

Hide file tree

Showing 17 changed files with 10 additions and 585 deletions.
diff --git a/.github/workflows/build-and-trigger-deploy.yml b/.github/workflows/build-and-trigger-deploy.yml
@@ -9,7 +9,6 @@ on:
 
 env:
   IMAGEID: rapidlua/luajit.me
-  PACKERV: 1.5.1
 
 jobs:
   version-stamp:
@@ -21,22 +20,6 @@ jobs:
     - uses: actions/upload-artifact@v1.0.0
       with: { name: version, path: version }
 
-  cloud-images:
-    runs-on: ubuntu-latest
-    needs: version-stamp
-    steps:
-    - name: Install packer
-      run: >
-        curl https://releases.hashicorp.com/packer/${PACKERV}/packer_${PACKERV}_linux_$(dpkg --print-architecture).zip > packer.zip &&
-        unzip packer.zip &&
-        sudo install packer /usr/bin &&
-        rm packer.zip packer
-    - uses: actions/checkout@v1
-    - uses: actions/download-artifact@v1.0.0
-      with: { name: version }
-    - name: Build cloud images
-      run: packer build -var "version=$(cat version/version)" -var "digitalocean_token=${{ secrets.DIGITALOCEAN_TOKEN }}" deployments/cloud-images.json
-
   docker-image-amd64:
     runs-on: ubuntu-latest
     needs: version-stamp
@@ -54,7 +37,7 @@ jobs:
 
   postprocess-and-trigger-deploy:
     runs-on: ubuntu-latest
-    needs: [version-stamp, cloud-images, docker-image-amd64]
+    needs: [version-stamp, docker-image-amd64]
     steps:
       - uses: actions/download-artifact@v1.0.0
         with: { name: version }
@@ -77,11 +60,3 @@ jobs:
             docker manifest create "${IMAGEID}:latest" "${IID}-amd64" &&
             docker manifest push "${IMAGEID}:latest"
           fi
-      - name: Trigger deploy
-        run: >
-          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-            ENV=production; REF=${GITHUB_REF}
-          else
-            ENV=staging; REF=${GITHUB_SHA}
-          fi;
-          curl -sd "{\"ref\":\"${REF}\",\"required_contexts\":[],\"environment\":\"${ENV}\",\"payload\":{\"version\":\"$(cat version/version)\"}}" https://api.github.com/repos/${GITHUB_REPOSITORY}/deployments -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/cloud-gc.js b/.github/workflows/cloud-gc.js
diff --git a/.github/workflows/cloud-gc.yml b/.github/workflows/cloud-gc.yml
diff --git a/Dockerfile b/Dockerfile
@@ -40,7 +40,7 @@ RUN mkdir -p /root/dist/usr/src/luajit.me \
 #   Lua runtime dependencies
 #
 #######################################################################
-FROM alpine AS lua-img-base
+FROM alpine:3.9 AS lua-img-base
 
 # install lua runtime dependencies
 RUN apk update && apk upgrade && apk add libgcc
@@ -59,7 +59,7 @@ RUN find / -xdev | sed -e '/[/]\(root\|run\)[/]/d' > /root/system-files.list &&
 #   also includes some of the source code to build
 #
 #######################################################################
-FROM alpine AS c-src-builder
+FROM alpine:3.9 AS c-src-builder
 
 # install build dependencies
 RUN apk update && apk upgrade && \
@@ -128,7 +128,7 @@ RUN REV=v2.1.0-beta3 GC64=1 /root/dist-build.sh
 #   combines bits and pieces together
 #
 #######################################################################
-FROM alpine AS luajit.me.staging
+FROM alpine:3.9 AS luajit.me.staging
 RUN apk add fdupes
 
 RUN mkdir -p /root/dist/usr/lib/luajit.me/images/dev/shm
@@ -151,4 +151,5 @@ FROM node:10-alpine AS luajit.me
 COPY --from=luajit.me.staging root/dist /
 
 EXPOSE 8000
+USER nobody
 CMD ["node", "/usr/src/luajit.me/server/app.js"]
diff --git a/deployments/cloud-images.json b/deployments/cloud-images.json
diff --git a/deployments/modules/backend/app.nginx.conf b/deployments/modules/backend/app.nginx.conf