Minor text change

Dieser Commit ist enthalten in:
andryyy 2020-10-08 09:57:12 +02:00
Ursprung 87c1c3d5d0
Commit 0125fd06fc
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 8EC34FF2794E25EF

Datei anzeigen

@ -33,24 +33,32 @@ Please use the latest Docker engine available and do not use the engine that shi
**1\.1\.** On SELinux enabled systems, e.g. CentOS 7: **1\.1\.** On SELinux enabled systems, e.g. CentOS 7:
- Check if "container-selinux" package is present on your system: - Check if "container-selinux" package is present on your system:
``` ```
rpm -qa | grep container-selinux rpm -qa | grep container-selinux
``` ```
If the above command returns an empty or no output, you should install it via your package manager. If the above command returns an empty or no output, you should install it via your package manager.
- Check if docker has SELinux support enabled: - Check if docker has SELinux support enabled:
``` ```
# docker info | grep selinux # docker info | grep selinux
``` ```
If the above command returns an empty or no output, create or edit `/etc/docker/daemon.json` and add `"selinux-enabled": true`. Example file content: If the above command returns an empty or no output, create or edit `/etc/docker/daemon.json` and add `"selinux-enabled": true`. Example file content:
``` ```
{ {
"selinux-enabled": true "selinux-enabled": true
} }
``` ```
Then restart the docker daemon and check again.
This needs to be done so that mailcow's volumes are properly labeled as declared in the compose file. If you are interested in how this works, you can check out the Readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic. Restart the docker daemon and verify SELinux is now enabled.
This step is required to make sure mailcows volumes are properly labeled as declared in the compose file.
If you are interested in how this works, you can check out the readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic.
**2\.** Clone the master branch of the repository, make sure your umask equals 0022. Please clone the repository as root user and also control the stack as root. We will modify attributes - if necessary - while boostrapping the containers automatically and make sure everything is secured. The update.sh script must therefore also be run as root. It might be necessary to change ownership and other attributes of files you will otherwise not have access to. **We drop permissions for every exposed application** and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical. **2\.** Clone the master branch of the repository, make sure your umask equals 0022. Please clone the repository as root user and also control the stack as root. We will modify attributes - if necessary - while boostrapping the containers automatically and make sure everything is secured. The update.sh script must therefore also be run as root. It might be necessary to change ownership and other attributes of files you will otherwise not have access to. **We drop permissions for every exposed application** and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical.