fix(deploy): apparmor:unconfined for Docker-in-LXC
The docker-default AppArmor profile can't be loaded from inside the LXC; match the lab convention (finance/arr stacks) of running services unconfined.
This commit is contained in:
parent
79e328af8d
commit
f544e7ee06
2 changed files with 9 additions and 0 deletions
|
|
@ -25,6 +25,9 @@ services:
|
||||||
environment:
|
environment:
|
||||||
# Exactly one scheduler may write to the shared DB; the server owns it.
|
# Exactly one scheduler may write to the shared DB; the server owns it.
|
||||||
SCHEDULER_ENABLED: "false"
|
SCHEDULER_ENABLED: "false"
|
||||||
|
# Harmless on Docker Desktop; needed if ever run under Docker-in-LXC.
|
||||||
|
security_opt:
|
||||||
|
- apparmor:unconfined
|
||||||
ports:
|
ports:
|
||||||
- "${APP_PORT:-8080}:8000"
|
- "${APP_PORT:-8080}:8000"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,10 @@ services:
|
||||||
ports:
|
ports:
|
||||||
# Published on the LAN so the local dev webapp uses this central DB.
|
# Published on the LAN so the local dev webapp uses this central DB.
|
||||||
- "5432:5432"
|
- "5432:5432"
|
||||||
|
# Required for Docker-in-LXC: the container can't load the docker-default
|
||||||
|
# AppArmor profile inside an unprivileged-from-AppArmor's-view namespace.
|
||||||
|
security_opt:
|
||||||
|
- apparmor:unconfined
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-subfeed} -d ${POSTGRES_DB:-subfeed}"]
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-subfeed} -d ${POSTGRES_DB:-subfeed}"]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
|
|
@ -45,6 +49,8 @@ services:
|
||||||
depends_on:
|
depends_on:
|
||||||
db:
|
db:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
|
security_opt:
|
||||||
|
- apparmor:unconfined
|
||||||
ports:
|
ports:
|
||||||
# Exposed on the LAN for status/health checks only. Interactive Google login
|
# Exposed on the LAN for status/health checks only. Interactive Google login
|
||||||
# needs a public HTTPS redirect URL (set up later); backfill runs regardless.
|
# needs a public HTTPS redirect URL (set up later); backfill runs regardless.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue