I'm just a grunt. Don't blame me for this awful PoS.

2023-09-05 05:12:24 +03:00
parent 8e40ee36a9
commit 8edb5737bc
1 changed files with 128 additions and 127 deletions
--- a/13
+++ b/13
@@ -54,7 +54,6 @@ function get_package_manager {
        "CentOS Linux" | "Fedora" | "Red Hat Enterprise Linux Server") # If the distribution is CentOS, Fedora or RHEL
            printf "%s" "dnf"                                             # Output dnf
            ;;
-
        "openSUSE Leap")      # If the distribution is OpenSUSE
            printf "%s" "zypper" # Output zypper
            ;;
@@ -185,7 +184,6 @@ function getCorrectFirewall {
            exit 1 # Exit with error code 1
            ;;
    esac
-
 }

 function getCorrectKernelSecurityModule {
@@ -208,7 +206,6 @@ function getCorrectKernelSecurityModule {
            sudo dnf install selinux container-selinux -y # Install selinux
            printf "%s" "selinux" # Output selinux
            ;;
-
        "openSUSE Leap")      # If the distribution is OpenSUSE
            sudo zypper install -t pattern apparmor -y # Install apparmor
            printf "%s" "apparmor" # Output apparmor
@@ -320,11 +317,13 @@ EOF
    rm -f -- *.sha512
    chmod a+rx runsc containerd-shim-runsc-v1
    sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
+    sudo chown secdep:secdep /home/secdep/bin/runsc
+    sudo chown secdep:secdep /home/secdep/bin/containerd-shim-runsc-v1
    )
    # Enable gVisor for docker by default while hardening the docker daemon.json file
    # The no-new-privileges option will prevent the docker daemon from gaining new privileges
-    # The runsc option --network=host and --ignore-cgroup will help with running runsc
-    # with rootless docker
+    # The runsc option --network=host and --ignore-cgroups=true will help with running runsc
+    # with rootless docker without much hassle
    sudo runuser - secdep -c 'mkdir -p /home/secdep/.config/docker'
 # "icc": false to disable inter-container communication, does not work without br_netfilter module loaded
 # and it is sometimes prohibited by the hosting provider
@@ -339,7 +338,9 @@ EOF
 "path": "/home/secdep/bin/runsc",
 "runtimeArgs": [
 "--network=host",
-"--ignore-cgroups"
+"--ignore-cgroups=true",
+"--overlay2 all:memory",
+"--rootless"
 ]
 }
 }