Re-using an inherited file descriptor to /dev/urandom frees us
from problems with mount options including 'nodev' and removes a
capability from the set we need.
Change-Id: I70337e923f802d7efbd3159c11a4e39f6529b6e6
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Added the 'tzdata' package to Ubuntu-based Docker builds and the
'timezone' package to openSUSE builds, to allow Docker users to run
the containers with a custom timezone by passing a TZ env variable.
Signed-off-by: Tobia Conforto <tobia.conforto@gmail.com>
Change-Id: Idafd84dde3383b4801ff4b3ebb8ac1826fe49fcc
Docker supports two methods of executing commands.
The existing approach was to run bash and give the
shell script to execute, which forks and execs another
shell instance to run the script. This means that the
script itself is not PID 1, rather the parent bash
instance is.
The second approach is to exec the script in the same
bash process, without a parent. This is exactly what
we want, because once our script is done, it execs
loolwsd, thereby making loolwsd PID 1.
All of this means that when the docker container is
stopped, and PID 1 is sent SIGTERM, loolwsd will
intercept it and gracefully shutdown.
Change-Id: I52ac63f7fba58d20d1c6f63c7e07dd18141c1af4
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.
Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.
As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.
Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>