Security fixes

CERIT-SC · Sep 5, 2024 · ac5c9c2 · ac5c9c2
1 parent 826f13e
commit ac5c9c2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSecurityContext.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSecurityContext.groovy
@@ -36,12 +36,16 @@ class PodSecurityContext {
     private Map spec
 
     PodSecurityContext(def user) {
-        spec = [runAsUser: user]
+        spec = [runAsUser: user, seccompProfile: [ type: "RuntimeDefault"], runAsNonRoot : true]
     }
 
     PodSecurityContext(Map ctx) {
         assert ctx
         spec = ctx
+        if( ! spec.runAsNonRoot )
+          spec.runAsNonRoot = true
+        if( ! spec.seccompProfile )
+          spec.seccompProfile = [type: "RuntimeDefault"]
     }
 
     Map toSpec() { spec }

diff --git a/packing.gradle b/packing.gradle
@@ -298,6 +298,7 @@ task dockerPack(type: Exec, dependsOn: ['packOne']) {
     COPY entry.sh /usr/local/bin/entry.sh
     COPY dist/docker /usr/local/bin/docker
     ENV NXF_HOME=/.nextflow
+    ENV NXF_ENABLE_FS_SYNC=true
     RUN chmod +x /usr/local/bin/nextflow /usr/local/bin/entry.sh
     RUN nextflow info && chown -R 1000:1000 /.nextflow
     ENTRYPOINT ["/usr/local/bin/entry.sh"]