From 641290c20af46e995fa6ac7c8a0584b96b17c8a5 Mon Sep 17 00:00:00 2001 From: Antoine Cotten Date: Fri, 11 Feb 2022 20:11:22 +0100 Subject: [PATCH] Apply SELinux options to bind mounts https://docs.docker.com/storage/bind-mounts/ Related to #639 Closes #661 --- docker-compose.yml | 6 +++--- extensions/apm-server/apm-server-compose.yml | 5 +---- extensions/curator/curator-compose.yml | 10 ++-------- .../enterprise-search/enterprise-search-compose.yml | 5 +---- extensions/filebeat/filebeat-compose.yml | 5 +---- extensions/logspout/logspout-compose.yml | 5 ++++- extensions/metricbeat/metricbeat-compose.yml | 5 +---- 7 files changed, 13 insertions(+), 28 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 91dc17d..3411d12 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,8 +27,8 @@ services: args: ELK_VERSION: $ELK_VERSION volumes: - - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro,z - - ./logstash/pipeline:/usr/share/logstash/pipeline:ro,z + - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro,Z + - ./logstash/pipeline:/usr/share/logstash/pipeline:ro,Z ports: - "5044:5044" - "5000:5000/tcp" @@ -47,7 +47,7 @@ services: args: ELK_VERSION: $ELK_VERSION volumes: - - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,z + - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z ports: - "5601:5601" networks: diff --git a/extensions/apm-server/apm-server-compose.yml b/extensions/apm-server/apm-server-compose.yml index bd21a2d..991e553 100644 --- a/extensions/apm-server/apm-server-compose.yml +++ b/extensions/apm-server/apm-server-compose.yml @@ -11,10 +11,7 @@ services: # https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html - --strict.perms=false volumes: - - type: bind - source: ./extensions/apm-server/config/apm-server.yml - target: /usr/share/apm-server/apm-server.yml - read_only: true + - ./extensions/apm-server/config/apm-server.yml:/usr/share/apm-server/apm-server.yml:ro,Z ports: - '8200:8200' networks: diff --git a/extensions/curator/curator-compose.yml b/extensions/curator/curator-compose.yml index 96dae3c..60786a6 100644 --- a/extensions/curator/curator-compose.yml +++ b/extensions/curator/curator-compose.yml @@ -6,14 +6,8 @@ services: context: extensions/curator/ init: true volumes: - - type: bind - source: ./extensions/curator/config/curator.yml - target: /usr/share/curator/config/curator.yml - read_only: true - - type: bind - source: ./extensions/curator/config/delete_log_files_curator.yml - target: /usr/share/curator/config/delete_log_files_curator.yml - read_only: true + - ./extensions/curator/config/curator.yml:/usr/share/curator/config/curator.yml:ro,Z + - ./extensions/curator/config/delete_log_files_curator.yml:/usr/share/curator/config/delete_log_files_curator.yml:ro,Z networks: - elk depends_on: diff --git a/extensions/enterprise-search/enterprise-search-compose.yml b/extensions/enterprise-search/enterprise-search-compose.yml index dd57424..fcb12c1 100644 --- a/extensions/enterprise-search/enterprise-search-compose.yml +++ b/extensions/enterprise-search/enterprise-search-compose.yml @@ -7,10 +7,7 @@ services: args: ELK_VERSION: $ELK_VERSION volumes: - - type: bind - source: ./extensions/enterprise-search/config/enterprise-search.yml - target: /usr/share/enterprise-search/config/enterprise-search.yml - read_only: true + - ./extensions/enterprise-search/config/enterprise-search.yml:/usr/share/enterprise-search/config/enterprise-search.yml:ro,Z environment: JAVA_OPTS: -Xmx2g -Xms2g ENT_SEARCH_DEFAULT_PASSWORD: 'changeme' diff --git a/extensions/filebeat/filebeat-compose.yml b/extensions/filebeat/filebeat-compose.yml index 40b1150..86dd11d 100644 --- a/extensions/filebeat/filebeat-compose.yml +++ b/extensions/filebeat/filebeat-compose.yml @@ -17,10 +17,7 @@ services: # see: https://www.elastic.co/guide/en/beats/libbeat/current/config-file-permissions.html - --strict.perms=false volumes: - - type: bind - source: ./extensions/filebeat/config/filebeat.yml - target: /usr/share/filebeat/filebeat.yml - read_only: true + - ./extensions/filebeat/config/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro,Z - type: bind source: /var/lib/docker/containers target: /var/lib/docker/containers diff --git a/extensions/logspout/logspout-compose.yml b/extensions/logspout/logspout-compose.yml index 1c349f2..bb60bef 100644 --- a/extensions/logspout/logspout-compose.yml +++ b/extensions/logspout/logspout-compose.yml @@ -5,7 +5,10 @@ services: build: context: extensions/logspout volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + read_only: true environment: ROUTE_URIS: logstash://logstash:5000 LOGSTASH_TAGS: docker-elk diff --git a/extensions/metricbeat/metricbeat-compose.yml b/extensions/metricbeat/metricbeat-compose.yml index 81ceb35..24770ed 100644 --- a/extensions/metricbeat/metricbeat-compose.yml +++ b/extensions/metricbeat/metricbeat-compose.yml @@ -20,10 +20,7 @@ services: # from within a container. - --system.hostfs=/hostfs volumes: - - type: bind - source: ./extensions/metricbeat/config/metricbeat.yml - target: /usr/share/metricbeat/metricbeat.yml - read_only: true + - ./extensions/metricbeat/config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro,Z - type: bind source: / target: /hostfs