Handle more edge cases; more clear warnings

2026-04-02 08:12:21 -07:00 · 2026-01-05 02:08:32 +00:00
parent 16375abb51
commit c86d0c8772
15 changed files with 613 additions and 1482 deletions
--- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml
+++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml
@@ -14,6 +14,8 @@ services:
      - ALL
    cap_add:
      - CHOWN
+      - SETGID
+      - SETUID
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
@@ -31,12 +33,31 @@ services:
        source: test_netalertx_data
        target: /data
        read_only: false
+      - type: tmpfs
+        target: /tmp/log
+        tmpfs:
+          size: 64m
+          mode: 1777
+          options: noexec,nosuid,nodev,async,noatime,nodiratime
+      - type: tmpfs
+        target: /tmp/api
+        tmpfs:
+          size: 64m
+          mode: 1777
+          options: noexec,nosuid,nodev,async,noatime,nodiratime
+      - type: tmpfs
+        target: /tmp/run
+        tmpfs:
+          size: 64m
+          mode: 1777
+          options: noexec,nosuid,nodev,async,noatime,nodiratime
      - type: volume
        source: test_system_services_active_config
        target: /tmp/nginx/active-config
        read_only: true
    tmpfs:
-      - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # Ensure /tmp is a writable tmpfs for the app user; mode 1777 to support su-exec drop.
+      - /tmp:uid=20211,gid=20211,mode=1777,noexec,nosuid,nodev,size=64m
 volumes:
  test_netalertx_data:
  test_system_services_active_config:
--- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml
+++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml
@@ -8,7 +8,6 @@ services:
      dockerfile: Dockerfile
    image: netalertx-test
    container_name: netalertx-test-mount-data_noread
-    user: "20211:20211"
    cap_drop:
      - ALL
    cap_add:
@@ -38,7 +37,7 @@ services:
        read_only: false

    tmpfs:
-      - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/tmp:mode=1777,uid=20211,gid=20211,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

 volumes:
  test_netalertx_data:
--- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml
+++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml
@@ -38,7 +38,7 @@ services:
        read_only: false

    tmpfs:
-      - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/tmp:mode=1700,uid=20211,gid=20211,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

 volumes:
  test_netalertx_data:
--- a/test/docker_tests/configurations/test_results.log
+++ b/test/docker_tests/configurations/test_results.log