diff --git a/etc/systemd/system/gvisor-updater.service b/etc/systemd/system/gvisor-updater.service deleted file mode 100644 index 3da037a..0000000 --- a/etc/systemd/system/gvisor-updater.service +++ /dev/null @@ -1,50 +0,0 @@ -[Unit] -Description=Update gVisor -After=network-online.target -Before=docker.service - -[Service] -Type=oneshot -RuntimeDirectory=gvisor-updater -WorkingDirectory=/run/gvisor-updater -ExecStart=/usr/bin/sleep 5 -ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc -ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 -ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 -ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 -ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 -ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512 -ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1 -ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 -ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin -ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc - -DynamicUser=true -CapabilityBoundingSet= -LockPersonality=true -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateIPC=true -PrivateTmp=true -ProcSubset=pid -ProtectClock=true -ProtectControlGroups=true -ProtectHome=true -ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -ProtectProc=invisible -ProtectSystem=strict -RestrictAddressFamilies= -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -RuntimeDirectoryMode=700 -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@obsolete - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/x86-QEMU-Docker.ign b/x86-QEMU-Docker.ign index 2c33e25..899fa22 100644 --- a/x86-QEMU-Docker.ign +++ b/x86-QEMU-Docker.ign @@ -229,12 +229,7 @@ "name": "postinst2.service" }, { - "contents": "[Unit]\nDescription=Download gVisor\nAfter=network-online.target\nBefore=docker.service\n\n[Service]\nUser=unpriv\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\n\n[Install]\nWantedBy=multi-user.target\n", - "enabled": true, - "name": "gvisor-downloader.service" - }, - { - "contents": "[Unit]\nDescription=Copy gVisor to the correct location\nAfter=gvisor-downloader.service\n\n[Service]\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Update gVisor\nAfter=network-online.target\nBefore=docker.service\n\n[Service]\nType=oneshot\nRuntimeDirectory=gvisor-updater\nWorkingDirectory=/run/gvisor-updater\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\nDynamicUser=true\nCapabilityBoundingSet=\nLockPersonality=true\nMemoryDenyWriteExecute=true\nNoNewPrivileges=true\nPrivateDevices=true\nPrivateIPC=true\nPrivateTmp=true\nProcSubset=pid\nProtectClock=true\nProtectControlGroups=true\nProtectHome=true\nProtectHostname=true\nProtectKernelLogs=true\nProtectKernelModules=true\nProtectKernelTunables=true\nProtectProc=invisible\nProtectSystem=strict\nRestrictAddressFamilies=\nRestrictNamespaces=true\nRestrictRealtime=true\nRestrictSUIDSGID=true\nRuntimeDirectoryMode=700\nSystemCallArchitectures=native\nSystemCallFilter=@system-service\nSystemCallFilter=~@obsolete\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "gvisor-updater.service" }, diff --git a/x86-QEMU-Docker.yml b/x86-QEMU-Docker.yml index 12f2605..45e8a3f 100644 --- a/x86-QEMU-Docker.yml +++ b/x86-QEMU-Docker.yml @@ -81,42 +81,56 @@ systemd: [Install] WantedBy=multi-user.target - - name: gvisor-downloader.service + - name: gvisor-updater.service enabled: true contents: | [Unit] - Description=Download gVisor + Description=Update gVisor After=network-online.target Before=docker.service [Service] - User=unpriv - WorkingDirectory=/var/home/unpriv Type=oneshot + RuntimeDirectory=gvisor-updater + WorkingDirectory=/run/gvisor-updater ExecStart=/usr/bin/sleep 5 ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 - - [Install] - WantedBy=multi-user.target - - name: gvisor-updater.service - enabled: true - contents: | - [Unit] - Description=Copy gVisor to the correct location - After=gvisor-downloader.service - - [Service] - WorkingDirectory=/var/home/unpriv - Type=oneshot ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512 - ExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1 - ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 - ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin - ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc + ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1 + ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 + ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin + ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc + + DynamicUser=true + CapabilityBoundingSet= + LockPersonality=true + MemoryDenyWriteExecute=true + NoNewPrivileges=true + PrivateDevices=true + PrivateIPC=true + PrivateTmp=true + ProcSubset=pid + ProtectClock=true + ProtectControlGroups=true + ProtectHome=true + ProtectHostname=true + ProtectKernelLogs=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectProc=invisible + ProtectSystem=strict + RestrictAddressFamilies= + RestrictNamespaces=true + RestrictRealtime=true + RestrictSUIDSGID=true + RuntimeDirectoryMode=700 + SystemCallArchitectures=native + SystemCallFilter=@system-service + SystemCallFilter=~@obsolete [Install] WantedBy=multi-user.target