Matt Hamilton
Matt Hamilton
Of course. FWIW noagendasocial.com has been running with these settings for more than a year without any issues to my knowledge, but I haven't done any testing of first-time instance...
@mig5 does applying [959af01](https://github.com/mastodon/mastodon/pull/21165/commits/959af0105ff6cc4a7c8740bd8b01f0e827e5c3f4) fix it?
Adding `setuid` isn't ideal. It's probably better to explicitly set the `user` and fix the incongruence, but that will be a more involved "fix" and probably break more deployments than...
> container db is able to run with read_only and cap_drop ALL Thanks I just missed this one. Will fix. > mount options nosuid,nodev and noexec ... I'm pretty sure...
Sorry it's taken me so long to get back to this. @nberlee I've integrated your changes into the latest commit, as I too was impacted by moby/moby#20437.
I also added an explicit `user` directive to each service, leaving fixing any host incongruence to the operator. This is necessary to name uids when setting ownership of the tmpfs...
This is probably best handled by the orchestrator enforcing filesystem controls (Docker's `read_only`) rather than mucking with file permissions. See: #21165
I agree wholeheartedly with the premise of this PR. The change of the `chown` isn't strictly a problem, it just isn't the ideal solution. Rather than changing the permissions of...
@thomasvs have you taken time to look at and test this PR?
Great. I'll ping you again in a week or so to bother you about it :)