Replace some -v instances with --mount

`-v` magically creates the source destination as a directory, if it doesn't exist already. We'd like to avoid this magic and the potential breakage that it might cause. We'd rather fail while Docker tries to find things to `--mount` than have it automatically create directories and fail anyway, while having contaminated the filesystem. There's a lot more `-v` instances remaining to be fixed later on. This is just some start. Things like `matrix_synapse_container_additional_volumes` and `matrix_nginx_proxy_container_additional_volumes` were not changed to use `--mount`, as options for each one are passed differently (`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`). To avoid breaking people's custom volume mounts, we keep it as it is for now. A deficiency with `--mount` is that it lacks the `z` option (SELinux ownership changes), and some of our `-v` instances use that. I'm not sure how supported SELinux is for us right now, but it might be, and breaking that would not be a good idea.
5 лет назад · 1fca917ad1
--- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
+++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
@@ -21,13 +21,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element
 			-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \
 			{% endif %}
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			-v {{ matrix_client_element_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v {{ matrix_client_element_data_path }}/config.json:/app/config.json:ro \
 			-v {{ matrix_client_element_data_path }}/config.json:/app/config.{{ matrix_server_fqn_element }}.json:ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \
 			{% if matrix_client_element_embedded_pages_home_path is not none %}
 			-v {{ matrix_client_element_data_path }}/home.html:/app/home.html:ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/home.html,dst=/app/home.html,ro \
 			{% endif %}
 			-v {{ matrix_client_element_data_path }}/welcome.html:/app/welcome.html:ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/welcome.html,dst=/app/welcome.html,ro \
 			{% for arg in matrix_client_element_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@@ -23,7 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \
 			{% if matrix_dimension_container_http_host_bind_port %}
 			-p {{ matrix_dimension_container_http_host_bind_port }}:8184 \
 			{% endif %}
 			-v {{ matrix_dimension_base_path }}:/data:rw \
 			--mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \
 			{% for arg in matrix_dimension_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
+++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
@@ -15,7 +15,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_jicofo_base_path }}/env \
 			-v {{ matrix_jitsi_jicofo_config_path }}:/config \
 			--mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \
 			{% for arg in matrix_jitsi_jicofo_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@@ -21,7 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \
 			{% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %}
 			-p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \
 			{% endif %}
 			-v {{ matrix_jitsi_jvb_config_path }}:/config \
 			--mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \
 			{% for arg in matrix_jitsi_jvb_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@@ -15,8 +15,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
 			-v {{ matrix_jitsi_prosody_config_path }}:/config \
 			-v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \
 			--mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \
 			{% for arg in matrix_jitsi_prosody_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
+++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
@@ -18,8 +18,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \
 			{% if matrix_jitsi_web_container_http_host_bind_port %}
 			-p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \
 			{% endif %}
 			-v {{ matrix_jitsi_web_config_path }}:/config \
 			-v {{ matrix_jitsi_web_transcripts_path }}:/usr/share/jitsi-meet/transcripts \
 			--mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \
 			{% for arg in matrix_jitsi_web_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \
 			{% if matrix_ma1sd_verbose_logging %}
 			-e MA1SD_LOG_LEVEL=debug \
 			{% endif %}
 			-v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \
 			-v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \
 			--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
 			--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
 			{% for arg in matrix_ma1sd_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -30,11 +30,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
 			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
 			{% endif %}
 			-v {{ matrix_nginx_proxy_base_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v {{ matrix_nginx_proxy_data_path }}:/nginx-data:ro \
 			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \
 			-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \
 			-v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \
 			--mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \
 			{% for volume in matrix_nginx_proxy_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
--- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
+++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
@@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \
 			-p {{ matrix_postgres_container_postgres_bind_port }}:5432 \
 			{% endif %}
 			--env-file={{ matrix_postgres_base_path }}/env-postgres-server \
 			-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \
 			-v /etc/passwd:/etc/passwd:ro \
 			--mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \
 			--mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \
 			{% for arg in matrix_postgres_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2
+++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2
@@ -22,8 +22,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \
 			{% if matrix_registration_container_http_host_bind_port %}
 			-p {{ matrix_registration_container_http_host_bind_port }}:5000 \
 			{% endif %}
 			-v {{ matrix_registration_config_path }}:/config:ro \
 			-v {{ matrix_registration_data_path }}:/data \
 			--mount type=bind,src={{ matrix_registration_config_path }},dst=/config,ro \
 			--mount type=bind,src={{ matrix_registration_data_path }},dst=/data \
 			{% for arg in matrix_registration_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-synapse/tasks/synapse/setup_install.yml
+++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml
@@ -65,7 +65,7 @@
    --name=matrix-config
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    -v {{ matrix_synapse_config_dir_path }}:/data
    --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data
    -e UID={{ matrix_user_uid }}
    -e GID={{ matrix_user_gid }}
    -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
--- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
+++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
@@ -12,13 +12,13 @@ ExecStartPre=-{{ matrix_host_command_docker }} rm %n
 ExecStart={{ matrix_host_command_docker }} run --rm --name %n \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			-v /etc/passwd:/etc/passwd:ro \
 			-v /etc/group:/etc/group:ro \
 			--mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \
 			--mount type=bind,src=/etc/group,dst=/etc/group,ro \
 			--mount type=bind,src={{ matrix_synapse_media_store_path }},dst=/s3,bind-propagation=shared \
 			--security-opt apparmor:unconfined \
 			--cap-add mknod \
 			--cap-add sys_admin \
 			--device=/dev/fuse \
 			-v {{ matrix_synapse_media_store_path }}:/s3:shared \
 			--env-file={{ matrix_synapse_config_dir_path }}/env-goofys \
 			--entrypoint /bin/sh \
 			{{ matrix_s3_goofys_docker_image }} \
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			{% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %}
 			-p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \
 			{% endif %}
 			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
 			-v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \
 			--mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \
 			--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}