From 3ee9f7c9d12d54cf69994d74ac018983ba293f59 Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 15 Aug 2023 18:23:38 -0700 Subject: [PATCH] Setup Chrony seccomp filter Signed-off-by: Thien Tran --- Docker-Compose.ign | 8 ++++++++ Docker-Compose.yml | 6 ++++++ Generic.ign | 10 +++++++++- Generic.yml | 8 +++++++- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/Docker-Compose.ign b/Docker-Compose.ign index 09cd356..8ed672f 100644 --- a/Docker-Compose.ign +++ b/Docker-Compose.ign @@ -115,6 +115,14 @@ "source": "data:;base64,H4sIAAAAAAAC/4yQsU78MAyHdz9Fpf/cyxNkuL8OIVaO6oaqQ0hMz2pqB8cB+vYM1QmBGNh+0vf5GzwOTDbBCWtUKkbC/thM1mAUu6GkYKhwfDFUnyQuqIeK+kYR4RFfGylWz2jvoksvnInxYEFntC/84wzG874mGCqqVxGDe5VW9nkRXYjnEylGE928K8GuzsTtoT7KWqSiSzcD/t19YDxbUPOuVXXPxG4m60rLGX5h30N/1Vrp+gRPW0EvjPUqBjA+cLWQ8wSXwIbp/+bXlo36VlFvn/gMAAD//9CerLZjAQAA" } }, + { + "overwrite": true, + "path": "/etc/sysconfig/chronyd", + "contents": { + "compression": "", + "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A" + } + }, { "overwrite": true, "path": "/etc/unbound/unbound.conf", diff --git a/Docker-Compose.yml b/Docker-Compose.yml index 713eba9..1a094ca 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -173,6 +173,12 @@ storage: [Install] WantedBy=multi-user.target + - path: /etc/sysconfig/chronyd + overwrite: true + contents: + inline: | + # Command-line options for chronyd + OPTIONS="-F 1" - path: /etc/unbound/unbound.conf overwrite: true contents: diff --git a/Generic.ign b/Generic.ign index 610f23b..d04ff80 100644 --- a/Generic.ign +++ b/Generic.ign @@ -108,12 +108,20 @@ "source": "data:,GSSAPIAuthentication%20no%0AVerifyHostKeyDNS%20yes%0A" } }, + { + "overwrite": true, + "path": "/etc/sysconfig/chronyd", + "contents": { + "compression": "", + "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A" + } + }, { "overwrite": true, "path": "/etc/unbound/unbound.conf", "contents": { "compression": "gzip", - "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+L/AgAAP//qRxiA+IDAAA=" + "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+K9P3mRwAAAP//CV2iuOQDAAA=" } }, { diff --git a/Generic.yml b/Generic.yml index e5db572..6de9af5 100644 --- a/Generic.yml +++ b/Generic.yml @@ -171,6 +171,12 @@ storage: inline: | GSSAPIAuthentication no VerifyHostKeyDNS yes + - path: /etc/sysconfig/chronyd + overwrite: true + contents: + inline: | + # Command-line options for chronyd + OPTIONS="-F 1" - path: /etc/unbound/unbound.conf overwrite: true contents: @@ -213,7 +219,7 @@ storage: forward-addr: 1.1.1.2@853#security.cloudflare-dns.com forward-addr: 1.0.0.2@853#security.cloudflare-dns.com forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com - forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com + forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.comff - path: /etc/systemd/system/unbound.service.d/override.conf contents: inline: |