Fossil SCM
Restricted the container listeners to localhost in section 6 of the containers doc, and mentioned a few other items related to reverse proxying with nginx.
Commit
c9ab736f78d6a707edfee5139131b916492cd070c0ab27cd7cebf98070b20a16
Parent
80f4a1dd4999a21…
1 file changed
+24
-10
+24
-10
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -425,19 +425,33 @@ | ||
| 425 | 425 | don’t have to resort to [raw Fossil service](./server/) to succeed, |
| 426 | 426 | leaving the benefits of containerization to those with bigger budgets. |
| 427 | 427 | |
| 428 | 428 | For the sake of simple examples in this section, we’ll assume you’re |
| 429 | 429 | integrating Fossil into a larger web site, such as with our [Debian + |
| 430 | -nginx + TLS][DNT] plan. The Fossil server instance listens on a | |
| 431 | -high-numbered port, on localhost only, and the front-end web server | |
| 432 | -reverse-proxies this out to the public. Containers are a fine addition | |
| 433 | -to such a system, isolating those elements of the site, thus greatly | |
| 434 | -reducing the chance that they’ll ever be used to break into the host as | |
| 435 | -a whole. | |
| 430 | +nginx + TLS][DNT] plan. This is why all of the examples below create | |
| 431 | +the container with this option: | |
| 432 | + | |
| 433 | +``` | |
| 434 | + --publish 127.0.0.1:9999:8080 | |
| 435 | +``` | |
| 436 | + | |
| 437 | +The assumption is that there’s a reverse proxy running somewhere that | |
| 438 | +redirects public web hits to localhost port 9999, which in turn goes to | |
| 439 | +port 8080 inside the container. This use of Docker/Podman port | |
| 440 | +publishing effectively replaces the use of the | |
| 441 | +“`fossil server --localhost`” option. | |
| 442 | + | |
| 443 | +For the nginx case, you need to add `--scgi` to these commands, and you | |
| 444 | +might also need to specify `--baseurl`. | |
| 445 | + | |
| 446 | +Containers are a fine addition to such a scheme as they isolate the | |
| 447 | +Fossil sections of the site from the rest of the back-end resources, | |
| 448 | +thus greatly reducing the chance that they’ll ever be used to break into | |
| 449 | +the host as a whole. | |
| 436 | 450 | |
| 437 | 451 | (If you wanted to be double-safe, you could put the web server into |
| 438 | -another container, restricting it only to reading from the static web | |
| 452 | +another container, restricting it to reading from the static web | |
| 439 | 453 | site directory and connecting across localhost to back-end dynamic |
| 440 | 454 | content servers such as Fossil. That’s way outside the scope of this |
| 441 | 455 | document, but you can find ready advice for that elsewhere. Seeing how |
| 442 | 456 | we do this with Fossil should help you bridge the gap in extending |
| 443 | 457 | this idea to the rest of your site.) |
| @@ -719,11 +733,11 @@ | ||
| 719 | 733 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 720 | 734 | $ make reconfig # re-generate Dockerfile from the changed .in file |
| 721 | 735 | $ docker build -t fossil:nojail . |
| 722 | 736 | $ docker create \ |
| 723 | 737 | --name fossil-nojail \ |
| 724 | - --publish 9999:8080 \ | |
| 738 | + --publish 127.0.0.1:9999:8080 \ | |
| 725 | 739 | --volume ~/museum/my-project.fossil:/museum/repo.fossil \ |
| 726 | 740 | fossil:nojail |
| 727 | 741 | ``` |
| 728 | 742 | |
| 729 | 743 | This shows a new trick: mapping a single file into the container, rather |
| @@ -784,11 +798,11 @@ | ||
| 784 | 798 | --cap-drop FSETID \ |
| 785 | 799 | --cap-drop KILL \ |
| 786 | 800 | --cap-drop NET_BIND_SERVICE \ |
| 787 | 801 | --cap-drop SETFCAP \ |
| 788 | 802 | --cap-drop SETPCAP \ |
| 789 | - --publish 9999:8080 \ | |
| 803 | + --publish 127.0.0.1:9999:8080 \ | |
| 790 | 804 | localhost/fossil |
| 791 | 805 | $ sudo podman start fossil |
| 792 | 806 | ``` |
| 793 | 807 | |
| 794 | 808 | It’s obvious why we have to start the container as root, but why create |
| @@ -883,11 +897,11 @@ | ||
| 883 | 897 | ``` |
| 884 | 898 | $ sudo systemd-nspawn \ |
| 885 | 899 | --oci-bundle=/var/lib/machines/fossil \ |
| 886 | 900 | --machine=fossil \ |
| 887 | 901 | --network-veth \ |
| 888 | - --port=9999:8080 | |
| 902 | + --port=127.0.0.1:127.0.0.1:9999:8080 | |
| 889 | 903 | $ sudo machinectl list |
| 890 | 904 | No machines. |
| 891 | 905 | ``` |
| 892 | 906 | |
| 893 | 907 | This is why I wrote “reportedly” above: it doesn’t work on two different |
| 894 | 908 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -425,19 +425,33 @@ | |
| 425 | don’t have to resort to [raw Fossil service](./server/) to succeed, |
| 426 | leaving the benefits of containerization to those with bigger budgets. |
| 427 | |
| 428 | For the sake of simple examples in this section, we’ll assume you’re |
| 429 | integrating Fossil into a larger web site, such as with our [Debian + |
| 430 | nginx + TLS][DNT] plan. The Fossil server instance listens on a |
| 431 | high-numbered port, on localhost only, and the front-end web server |
| 432 | reverse-proxies this out to the public. Containers are a fine addition |
| 433 | to such a system, isolating those elements of the site, thus greatly |
| 434 | reducing the chance that they’ll ever be used to break into the host as |
| 435 | a whole. |
| 436 | |
| 437 | (If you wanted to be double-safe, you could put the web server into |
| 438 | another container, restricting it only to reading from the static web |
| 439 | site directory and connecting across localhost to back-end dynamic |
| 440 | content servers such as Fossil. That’s way outside the scope of this |
| 441 | document, but you can find ready advice for that elsewhere. Seeing how |
| 442 | we do this with Fossil should help you bridge the gap in extending |
| 443 | this idea to the rest of your site.) |
| @@ -719,11 +733,11 @@ | |
| 719 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 720 | $ make reconfig # re-generate Dockerfile from the changed .in file |
| 721 | $ docker build -t fossil:nojail . |
| 722 | $ docker create \ |
| 723 | --name fossil-nojail \ |
| 724 | --publish 9999:8080 \ |
| 725 | --volume ~/museum/my-project.fossil:/museum/repo.fossil \ |
| 726 | fossil:nojail |
| 727 | ``` |
| 728 | |
| 729 | This shows a new trick: mapping a single file into the container, rather |
| @@ -784,11 +798,11 @@ | |
| 784 | --cap-drop FSETID \ |
| 785 | --cap-drop KILL \ |
| 786 | --cap-drop NET_BIND_SERVICE \ |
| 787 | --cap-drop SETFCAP \ |
| 788 | --cap-drop SETPCAP \ |
| 789 | --publish 9999:8080 \ |
| 790 | localhost/fossil |
| 791 | $ sudo podman start fossil |
| 792 | ``` |
| 793 | |
| 794 | It’s obvious why we have to start the container as root, but why create |
| @@ -883,11 +897,11 @@ | |
| 883 | ``` |
| 884 | $ sudo systemd-nspawn \ |
| 885 | --oci-bundle=/var/lib/machines/fossil \ |
| 886 | --machine=fossil \ |
| 887 | --network-veth \ |
| 888 | --port=9999:8080 |
| 889 | $ sudo machinectl list |
| 890 | No machines. |
| 891 | ``` |
| 892 | |
| 893 | This is why I wrote “reportedly” above: it doesn’t work on two different |
| 894 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -425,19 +425,33 @@ | |
| 425 | don’t have to resort to [raw Fossil service](./server/) to succeed, |
| 426 | leaving the benefits of containerization to those with bigger budgets. |
| 427 | |
| 428 | For the sake of simple examples in this section, we’ll assume you’re |
| 429 | integrating Fossil into a larger web site, such as with our [Debian + |
| 430 | nginx + TLS][DNT] plan. This is why all of the examples below create |
| 431 | the container with this option: |
| 432 | |
| 433 | ``` |
| 434 | --publish 127.0.0.1:9999:8080 |
| 435 | ``` |
| 436 | |
| 437 | The assumption is that there’s a reverse proxy running somewhere that |
| 438 | redirects public web hits to localhost port 9999, which in turn goes to |
| 439 | port 8080 inside the container. This use of Docker/Podman port |
| 440 | publishing effectively replaces the use of the |
| 441 | “`fossil server --localhost`” option. |
| 442 | |
| 443 | For the nginx case, you need to add `--scgi` to these commands, and you |
| 444 | might also need to specify `--baseurl`. |
| 445 | |
| 446 | Containers are a fine addition to such a scheme as they isolate the |
| 447 | Fossil sections of the site from the rest of the back-end resources, |
| 448 | thus greatly reducing the chance that they’ll ever be used to break into |
| 449 | the host as a whole. |
| 450 | |
| 451 | (If you wanted to be double-safe, you could put the web server into |
| 452 | another container, restricting it to reading from the static web |
| 453 | site directory and connecting across localhost to back-end dynamic |
| 454 | content servers such as Fossil. That’s way outside the scope of this |
| 455 | document, but you can find ready advice for that elsewhere. Seeing how |
| 456 | we do this with Fossil should help you bridge the gap in extending |
| 457 | this idea to the rest of your site.) |
| @@ -719,11 +733,11 @@ | |
| 733 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 734 | $ make reconfig # re-generate Dockerfile from the changed .in file |
| 735 | $ docker build -t fossil:nojail . |
| 736 | $ docker create \ |
| 737 | --name fossil-nojail \ |
| 738 | --publish 127.0.0.1:9999:8080 \ |
| 739 | --volume ~/museum/my-project.fossil:/museum/repo.fossil \ |
| 740 | fossil:nojail |
| 741 | ``` |
| 742 | |
| 743 | This shows a new trick: mapping a single file into the container, rather |
| @@ -784,11 +798,11 @@ | |
| 798 | --cap-drop FSETID \ |
| 799 | --cap-drop KILL \ |
| 800 | --cap-drop NET_BIND_SERVICE \ |
| 801 | --cap-drop SETFCAP \ |
| 802 | --cap-drop SETPCAP \ |
| 803 | --publish 127.0.0.1:9999:8080 \ |
| 804 | localhost/fossil |
| 805 | $ sudo podman start fossil |
| 806 | ``` |
| 807 | |
| 808 | It’s obvious why we have to start the container as root, but why create |
| @@ -883,11 +897,11 @@ | |
| 897 | ``` |
| 898 | $ sudo systemd-nspawn \ |
| 899 | --oci-bundle=/var/lib/machines/fossil \ |
| 900 | --machine=fossil \ |
| 901 | --network-veth \ |
| 902 | --port=127.0.0.1:127.0.0.1:9999:8080 |
| 903 | $ sudo machinectl list |
| 904 | No machines. |
| 905 | ``` |
| 906 | |
| 907 | This is why I wrote “reportedly” above: it doesn’t work on two different |
| 908 |