mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
958e245813
This allows to override the default seccomp profile. Custom profile was generated from the default one [0] by adding one allowed system call 'clock_adjtime'. This one is indirectly used by chronyd with recent glibc2.31. [0]: https://github.com/containers/libpod/blob/master/seccomp.json Fixes: https://pagure.io/freeipa/issue/8316 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
59 lines
1.2 KiB
YAML
59 lines
1.2 KiB
YAML
version: '2.1'
|
|
services:
|
|
master:
|
|
image: ${IPA_DOCKER_IMAGE}
|
|
build: .
|
|
cap_add:
|
|
- ALL
|
|
security_opt:
|
|
- apparmor:unconfined
|
|
- seccomp:./seccomp.json
|
|
mem_limit: 1900m
|
|
volumes:
|
|
- /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
|
|
- ./ipa-test-config.yaml:/root/.ipa/ipa-test-config.yaml:ro
|
|
- ${BUILD_REPOSITORY_LOCALPATH}:${IPA_TESTS_REPO_PATH}
|
|
|
|
networks:
|
|
- ${IPA_NETWORK}
|
|
|
|
replica:
|
|
image: ${IPA_DOCKER_IMAGE}
|
|
build: .
|
|
cap_add:
|
|
- ALL
|
|
security_opt:
|
|
- apparmor:unconfined
|
|
- seccomp:./seccomp.json
|
|
mem_limit: 1900m
|
|
volumes:
|
|
- /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
|
|
networks:
|
|
- ${IPA_NETWORK}
|
|
|
|
client:
|
|
image: ${IPA_DOCKER_IMAGE}
|
|
build: .
|
|
cap_add:
|
|
- ALL
|
|
security_opt:
|
|
- apparmor:unconfined
|
|
- seccomp:./seccomp.json
|
|
mem_limit: 536870912
|
|
volumes:
|
|
- /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd
|
|
# nfs server
|
|
- ./exports:/exports
|
|
- /lib/modules:/lib/modules:ro
|
|
networks:
|
|
- ${IPA_NETWORK}
|
|
|
|
networks:
|
|
ipanet:
|
|
driver: bridge
|
|
enable_ipv6: true
|
|
ipam:
|
|
driver: default
|
|
config:
|
|
- subnet: ${IPA_IPV6_SUBNET}
|