sans-self.org
this repo has no description
Fixed podman SELLinux labelling bug
+22
-1
+4
CHANGELOG.md
+4
CHANGELOG.md
···
12
12
- Add tarpit for vulnerability scanners hitting known exploit paths (#18)
13
13
14
14
### Added
15
+
- Add Traefik ingress for Spindle CI runner at spindle.sans-self.org (#59)
16
+
- Add self-hosted Spindle CI runner with Podman rootless (#57)
15
17
- Add Zot container registry with S3 storage and CVE scanning (#56)
16
18
- Update PDS to use S3 for blob storage instead of filesystem (#52)
17
19
- Add S3 remote backend for OpenTofu state (#50)
···
23
25
- Add Tangled knot with Spindle CI/CD to k3s cluster (#1)
24
26
25
27
### Fixed
28
+
- Fix Spindle CI runner provisioning for all nodes (#61)
26
29
- Fix knot post-receive hooks not being executable (#54)
27
30
- Remove deleted pds-test subdomain from TLS certificate (#48)
28
31
- Restore PDS and knot data from S3 backups (#34)
···
32
35
- Update PDS to v0.4.208 for OAuth metadata support (#13)
33
36
34
37
### Changed
38
+
- Update tarpit response with custom message (#58)
35
39
- Upgrade cluster nodes from CAX11 to CAX21 for more memory headroom (#53)
36
40
- Remove IP allowlist restriction from kube API and SSH firewall (#49)
37
41
- Add health check that detects SQLite locking failures (#16)
+18
-1
kube.tf
+18
-1
kube.tf
···
98
98
# Spindle CI runner — provision user + rootless Podman on every node.
99
99
# Binary pulled from Zot registry (fails gracefully on first bootstrap when Zot isn't up yet).
100
100
postinstall_exec = [
101
+
# User + subuid/subgid for rootless Podman
101
102
"useradd --create-home --shell /bin/bash spindle 2>/dev/null || true",
103
+
"chown spindle:spindle /home/spindle",
102
104
"grep -q '^spindle:' /etc/subuid || usermod --add-subuids 100000-165535 spindle",
103
105
"grep -q '^spindle:' /etc/subgid || usermod --add-subgids 100000-165535 spindle",
104
106
"loginctl enable-linger spindle",
105
-
"mkdir -p /var/lib/spindle/logs && chown -R spindle:spindle /var/lib/spindle",
107
+
108
+
# Directories: logs, systemd unit, podman config
109
+
"mkdir -p /var/log/spindle && chown spindle:spindle /var/log/spindle",
106
110
"mkdir -p /home/spindle/.config/systemd/user && chown -R spindle:spindle /home/spindle/.config",
111
+
112
+
# Disable SELinux labels in rootless containers — kernel 6.19 + SELinux prevents
113
+
# mprotect in user namespaces, causing RELRO failures in musl-based containers.
114
+
# Rootless userns isolation is the primary security boundary; labels are defense-in-depth.
115
+
# See: https://github.com/containers/podman/issues/27895
116
+
"mkdir -p /home/spindle/.config/containers && printf '[containers]\\nlabel = false\\n' > /home/spindle/.config/containers/containers.conf && chown -R spindle:spindle /home/spindle/.config/containers",
117
+
118
+
# Fix SELinux contexts on home dir (provisioning runs as root, labels end up wrong)
119
+
"restorecon -R /home/spindle",
120
+
121
+
# Pull spindle binary from Zot OCI image
107
122
"podman pull zot.sans-self.org/infra/spindle:latest && CID=$$(podman create zot.sans-self.org/infra/spindle:latest) && podman cp $$CID:/spindle /usr/local/bin/spindle && podman cp $$CID:/spindle.service /home/spindle/.config/systemd/user/spindle.service && podman rm $$CID && chmod 755 /usr/local/bin/spindle && chown -R spindle:spindle /home/spindle/.config || echo 'WARN: spindle image not available, run make setup-spindle after cluster is ready'",
123
+
124
+
# Enable podman socket for rootless container API
108
125
"sleep 2 && SPINDLE_UID=$$(id -u spindle) && runuser -u spindle -- env XDG_RUNTIME_DIR=/run/user/$${SPINDLE_UID} DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$${SPINDLE_UID}/bus systemctl --user daemon-reload && runuser -u spindle -- env XDG_RUNTIME_DIR=/run/user/$${SPINDLE_UID} DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$${SPINDLE_UID}/bus systemctl --user enable --now podman.socket || true",
109
126
]
110
127