Allow specifying read-only flag to `container.valid_volumes` in `config.yml` #79

New issue

Open

opened 2023-09-05 08:59:39 +00:00 by flightkick · 0 comments

flightkick commented

2023-09-05 08:59:39 +00:00

Feature request

Summary

In order to mount certain volumes in containers, those volumes first need to be allowlisted in the config.yml file.

container:
  # ...

  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
  # valid_volumes:
  #   - data
  #   - /src/*.json
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
  valid_volumes: []

It would be nice if read-only restrictions could also be applied.

Use-case

I need to have the spawned containers accept certain self-signed certificates within my infrastructure. On the forgejo-runner container I'm able to do this by mapping /etc/ssl/certs/:/etc/ssl/certs/:ro. In the workflow yaml file it seems that this can be configured through options although the path needs to be allowlisted in the runner's config.yml first.
For security reasons I'd like to allow sharing the host ca-certificates but write access should be prohibited.

Workaround

Less optimal, but I can work around the issue by embedding the ca-certificates inside custom container images.

Feature request ### Summary In order to mount certain volumes in containers, those volumes first need to be allowlisted in the `config.yml` file. ```yaml container: # ... # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted. # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to: # valid_volumes: # - data # - /src/*.json # If you want to allow any volume, please use the following configuration: # valid_volumes: # - '**' valid_volumes: [] ``` It would be nice if read-only restrictions could also be applied. ### Use-case I need to have the spawned containers accept certain self-signed certificates within my infrastructure. On the forgejo-runner container I'm able to do this by mapping `/etc/ssl/certs/:/etc/ssl/certs/:ro`. In the workflow yaml file it seems that this can be configured through options although the path needs to be allowlisted in the runner's `config.yml` first. For security reasons I'd like to allow sharing the host ca-certificates but write access should be prohibited. ### Workaround Less optimal, but I can work around the issue by embedding the ca-certificates inside custom container images.

👍 2