Homepage vols #407
Homepage vols #407
Conversation
|
Also, apparently, I made this branch from my "bumps" branch so that I'd be using the current Homepage version. Oh well, now is as good a time as any to also push these bumps. |
|
There is no way to prevent write access to a mounted socket. The :ro is security theater. It still allows full write access to docker. The only benefit it has is to prevent unlinking the socket from inside the container (but not sure why a container would do that). The only true way to limit access to docker is through a docker-proxy. |
|
I'll allow you to keep the :ro, even though it changes little. I just wanted you to know that it doesnt do what it appears to do. |
…in docker-compose.yaml. Update .env-dist comments.
|
I removed the :ro. My tests showed that I needed it, but I think I was conflating 3 different issues that I was testing at the same time. We don't want to support mounting docker sockets, which is why we left HOMEPAGE_EXTRA_VOLUMES in .env-dist but didn't add it to Makefile. And it's possible that someone might want to mount a volume with write access. |
|
LGTM |
mcmikemn
dismissed
EnigmaCurry’s stale review
Fixed, discussed with EnigmaCurry.
There was still a fix request from you even though I marked it "resolved" in the conversation. I couldn't resolve the request so I dismissed it. But I still can't merge the PR, so I guess you have to approve or dismiss the fix request, or just approve the PR. |
|
I think it is just waiting for you to request another review |
Change volume mount to :ro, apparently required for homepage to use docker sockets as mounted volumes (which is a good thing) - I think this is new to a Homepage upgrade.