[Compose] Added SELinux support / volume labeling (#3766)

* [Compose] Added SELinux support / volume labeling

* fix typo
master
Hannes Happle 2020-10-06 20:56:19 +02:00 committed by GitHub
parent 60dde06669
commit e8ccd24f57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 76 additions and 72 deletions

View File

@ -6,8 +6,8 @@ services:
environment: environment:
- TZ=${TZ} - TZ=${TZ}
volumes: volumes:
- ./data/hooks/unbound:/hooks - ./data/hooks/unbound:/hooks:Z
- ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
restart: always restart: always
tty: true tty: true
networks: networks:
@ -22,9 +22,9 @@ services:
- unbound-mailcow - unbound-mailcow
stop_grace_period: 45s stop_grace_period: 45s
volumes: volumes:
- mysql-vol-1:/var/lib/mysql/ - mysql-vol-1:/var/lib/mysql/:Z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
- ./data/conf/mysql/:/etc/mysql/conf.d/:ro - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
environment: environment:
- TZ=${TZ} - TZ=${TZ}
- MYSQL_ROOT_PASSWORD=${DBROOT} - MYSQL_ROOT_PASSWORD=${DBROOT}
@ -43,7 +43,7 @@ services:
redis-mailcow: redis-mailcow:
image: redis:5-alpine image: redis:5-alpine
volumes: volumes:
- redis-vol-1:/data/ - redis-vol-1:/data/:Z
restart: always restart: always
ports: ports:
- "${REDIS_PORT:-127.0.0.1:7654}:6379" - "${REDIS_PORT:-127.0.0.1:7654}:6379"
@ -64,7 +64,7 @@ services:
- TZ=${TZ} - TZ=${TZ}
- SKIP_CLAMD=${SKIP_CLAMD:-n} - SKIP_CLAMD=${SKIP_CLAMD:-n}
volumes: volumes:
- ./data/conf/clamav/:/etc/clamav/ - ./data/conf/clamav/:/etc/clamav/:Z
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -82,15 +82,15 @@ services:
- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
volumes: volumes:
- ./data/hooks/rspamd:/hooks - ./data/hooks/rspamd:/hooks:Z
- ./data/conf/rspamd/custom/:/etc/rspamd/custom - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
- ./data/conf/rspamd/override.d/:/etc/rspamd/override.d - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z
- ./data/conf/rspamd/local.d/:/etc/rspamd/local.d - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z
- ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z
- ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z
- ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
- ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd:z
restart: always restart: always
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
@ -106,22 +106,22 @@ services:
depends_on: depends_on:
- redis-mailcow - redis-mailcow
volumes: volumes:
- ./data/hooks/phpfpm:/hooks - ./data/hooks/phpfpm:/hooks:Z
- ./data/web:/web:rw - ./data/web:/web:rw,z
- ./data/conf/rspamd/dynmaps:/dynmaps:ro - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
- ./data/conf/rspamd/custom/:/rspamd_custom_maps - ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd:z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
- ./data/conf/sogo/:/etc/sogo/ - ./data/conf/sogo/:/etc/sogo/:z
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
- ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/ - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z
- ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z
- ./data/conf/dovecot/global_sieve_before:/global_sieve/before - ./data/conf/dovecot/global_sieve_before:/global_sieve/before:Z
- ./data/conf/dovecot/global_sieve_after:/global_sieve/after - ./data/conf/dovecot/global_sieve_after:/global_sieve/after:Z
- ./data/assets/templates:/tpls - ./data/assets/templates:/tpls:z
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
environment: environment:
@ -178,12 +178,12 @@ services:
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
volumes: volumes:
- ./data/conf/sogo/:/etc/sogo/ - ./data/conf/sogo/:/etc/sogo/:z
- ./data/web/inc/init_db.inc.php:/init_db.inc.php - ./data/web/inc/init_db.inc.php:/init_db.inc.php:Z
- ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:Z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
- sogo-web-vol-1:/sogo_web - sogo-web-vol-1:/sogo_web:z
- sogo-userdata-backup-vol-1:/sogo_backup - sogo-userdata-backup-vol-1:/sogo_backup:Z
restart: always restart: always
networks: networks:
mailcow-network: mailcow-network:
@ -200,18 +200,18 @@ services:
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
volumes: volumes:
- ./data/hooks/dovecot:/hooks - ./data/hooks/dovecot:/hooks:Z
- ./data/conf/dovecot:/etc/dovecot - ./data/conf/dovecot:/etc/dovecot:z
- ./data/assets/ssl:/etc/ssl/mail/:ro - ./data/assets/ssl:/etc/ssl/mail/:ro,z
- ./data/conf/sogo/:/etc/sogo/ - ./data/conf/sogo/:/etc/sogo/:z
- ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/ - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z
- vmail-vol-1:/var/vmail - vmail-vol-1:/var/vmail:Z
- vmail-index-vol-1:/var/vmail_index - vmail-index-vol-1:/var/vmail_index:Z
- crypt-vol-1:/mail_crypt/ - crypt-vol-1:/mail_crypt/:z
- ./data/conf/rspamd/custom/:/etc/rspamd/custom - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
- ./data/assets/templates:/templates - ./data/assets/templates:/templates:z
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd:z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
environment: environment:
- LOG_LINES=${LOG_LINES:-9999} - LOG_LINES=${LOG_LINES:-9999}
- DBNAME=${DBNAME} - DBNAME=${DBNAME}
@ -255,13 +255,13 @@ services:
depends_on: depends_on:
- mysql-mailcow - mysql-mailcow
volumes: volumes:
- ./data/hooks/postfix:/hooks - ./data/hooks/postfix:/hooks:Z
- ./data/conf/postfix:/opt/postfix/conf - ./data/conf/postfix:/opt/postfix/conf:z
- ./data/assets/ssl:/etc/ssl/mail/:ro - ./data/assets/ssl:/etc/ssl/mail/:ro,z
- postfix-vol-1:/var/spool/postfix - postfix-vol-1:/var/spool/postfix:z
- crypt-vol-1:/var/lib/zeyple - crypt-vol-1:/var/lib/zeyple:z
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd:z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
environment: environment:
- LOG_LINES=${LOG_LINES:-9999} - LOG_LINES=${LOG_LINES:-9999}
- TZ=${TZ} - TZ=${TZ}
@ -325,12 +325,12 @@ services:
- SKIP_SOGO=${SKIP_SOGO:-n} - SKIP_SOGO=${SKIP_SOGO:-n}
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
volumes: volumes:
- ./data/web:/web:ro - ./data/web:/web:ro,z
- ./data/conf/rspamd/dynmaps:/dynmaps:ro - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
- ./data/assets/ssl/:/etc/ssl/mail/:ro - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
- ./data/conf/nginx/:/etc/nginx/conf.d/:rw - ./data/conf/nginx/:/etc/nginx/conf.d/:rw,Z
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/ - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
ports: ports:
- "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
- "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
@ -367,10 +367,10 @@ services:
- SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n} - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
- SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n} - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
volumes: volumes:
- ./data/web/.well-known/acme-challenge:/var/www/acme:rw - ./data/web/.well-known/acme-challenge:/var/www/acme:rw,Z
- ./data/assets/ssl:/var/lib/acme/:rw - ./data/assets/ssl:/var/lib/acme/:rw,z
- ./data/assets/ssl-example:/var/lib/ssl-example/:ro - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
restart: always restart: always
networks: networks:
mailcow-network: mailcow-network:
@ -407,10 +407,10 @@ services:
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
volumes: volumes:
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd:z
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/:z
- postfix-vol-1:/var/spool/postfix - postfix-vol-1:/var/spool/postfix:z
- ./data/assets/ssl:/etc/ssl/mail/:ro - ./data/assets/ssl:/etc/ssl/mail/:ro,z
restart: always restart: always
environment: environment:
- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
@ -463,6 +463,8 @@ services:
dockerapi-mailcow: dockerapi-mailcow:
image: mailcow/dockerapi:1.37 image: mailcow/dockerapi:1.37
security_opt:
- label=disable
restart: always restart: always
oom_kill_disable: true oom_kill_disable: true
dns: dns:
@ -481,7 +483,7 @@ services:
image: mailcow/solr:1.7 image: mailcow/solr:1.7
restart: always restart: always
volumes: volumes:
- solr-vol-1:/opt/solr/server/solr/dovecot-fts/data - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
ports: ports:
- "${SOLR_PORT:-127.0.0.1:18983}:8983" - "${SOLR_PORT:-127.0.0.1:18983}:8983"
environment: environment:
@ -532,6 +534,8 @@ services:
environment: environment:
- TZ=${TZ} - TZ=${TZ}
image: robbertkl/ipv6nat image: robbertkl/ipv6nat
security_opt:
- label=disable
restart: always restart: always
privileged: true privileged: true
network_mode: "host" network_mode: "host"