[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Status: Approved => Merged For more details, see: https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/426107 --

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Status: Needs review => Approved For more details, see: https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/426107

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Review: Approve LGTM, thx -- https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/426107 Your team Wordpress Charmers is subscribed to branch charm-k8s-wordpress:container-hardening. -- Mailing list: https://launchpad.net/~wordpress-charmers Post to

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Commit message changed to: fix: apache2 running as unprivileged user - allow o+rwx for std{err,out} so apache workers have necessary permissions for

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Commit message changed to: fix: apache2 running as unprivileged user - allow o+rwx for std{err,out} so apache workers have necessary   

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Commit message changed to: fix: apache2 running as unprivileged user - allow o+rwx for std{err,out} so apache workers have necessary   

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Commit message changed to: fix: apache2 running as unprivileged user - allow o+rwx for std{err,out} so apache workers have necessary   

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

The proposal to merge ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening has been updated. Commit message changed to: fix: apache2 running as unprivileged user - allow o+rwx for std{err,out} so apache workers have necessary

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Review: Needs Fixing continuous-integration FAILED: Continuous integration, rev:749941f2001ee192f9929f84b1717d9ba781fadc https://jenkins.canonical.com/is/job/lp-charm-k8s-wordpress-ci/34/ Executed test runs: FAILURE: https://jenkins.canonical.com/is/job/lp-charm-test/186/ None:

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

A CI job is currently in progress. A follow up comment will be added when it completes. -- https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/414162 Your team Wordpress Charmers is requested to review the proposed merge of

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

A few comments inline, but also just wondering why you're merging this into a different branch than the current master? Diff comments: > diff --git a/Dockerfile b/Dockerfile > index a338c56..e2451e0 100644 > --- a/Dockerfile > +++ b/Dockerfile > @@ -35,85 +46,141 @@ RUN apt-get update &&

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Review: Approve continuous-integration PASSED: Continuous integration, rev:929f0dd6cc08e455cd5990de23ca9610fb564a05 https://jenkins.canonical.com/is/job/lp-charm-k8s-wordpress-ci/33/ Executed test runs: SUCCESS: https://jenkins.canonical.com/is/job/lp-charm-test/185/ None:

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

A CI job is currently in progress. A follow up comment will be added when it completes. -- https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/414162 Your team Wordpress Charmers is requested to review the proposed merge of

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

With the caveat that I don't know charms well, I've made a few comments. I hope they're useful. Thanks Diff comments: > diff --git a/Dockerfile b/Dockerfile > index a338c56..9ad0b6b 100644 > --- a/Dockerfile > +++ b/Dockerfile > @@ -35,66 +46,63 @@ RUN apt-get update && apt-get -y dist-upgrade

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Review: Approve continuous-integration PASSED: Continuous integration, rev:62df061d9d5a1095d2411737f0b216c3c63318e1 https://jenkins.canonical.com/is/job/lp-charm-k8s-wordpress-ci/23/ Executed test runs: SUCCESS: https://jenkins.canonical.com/is/job/lp-charm-test/164/ None:

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

A CI job is currently in progress. A follow up comment will be added when it completes. -- https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/414162 Your team Wordpress Charmers is requested to review the proposed merge of

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

replies inline. Diff comments: > diff --git a/Dockerfile b/Dockerfile > index a338c56..9ad0b6b 100644 > --- a/Dockerfile > +++ b/Dockerfile > @@ -35,66 +46,63 @@ RUN apt-get update && apt-get -y dist-upgrade \ > php-xml \ > pwgen \ > python3 \ > +

Re: [Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Generally looks good, various comments inline. Diff comments: > diff --git a/Dockerfile b/Dockerfile > index a338c56..9ad0b6b 100644 > --- a/Dockerfile > +++ b/Dockerfile > @@ -1,5 +1,11 @@ > ARG DIST_RELEASE > FROM ubuntu:${DIST_RELEASE} as base > +ARG USERNAME=wordpress > +ARG USER_UID=1000

[Wordpress-charmers] [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening

Thomas Cuthbert has proposed merging ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening. Commit message: fix: first pass at hardening the container - run as unprivileged `wordpress` user - lock down file permissions for app code - ensure