Michael Schiemer
9b74ade5b0
Resolved multiple critical discovery system issues: ## Discovery System Fixes - Fixed console commands not being discovered on first run - Implemented fallback discovery for empty caches - Added context-aware caching with separate cache keys - Fixed object serialization preventing __PHP_Incomplete_Class ## Cache System Improvements - Smart caching that only caches meaningful results - Separate caches for different execution contexts (console, web, test) - Proper array serialization/deserialization for cache compatibility - Cache hit logging for debugging and monitoring ## Object Serialization Fixes - Fixed DiscoveredAttribute serialization with proper string conversion - Sanitized additional data to prevent object reference issues - Added fallback for corrupted cache entries ## Performance & Reliability - All 69 console commands properly discovered and cached - 534 total discovery items successfully cached and restored - No more __PHP_Incomplete_Class cache corruption - Improved error handling and graceful fallbacks ## Testing & Quality - Fixed code style issues across discovery components - Enhanced logging for better debugging capabilities - Improved cache validation and error recovery Ready for production deployment with stable discovery system. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
175 lines
3.4 KiB
YAML
175 lines
3.4 KiB
YAML
---
|
|
# Docker Security Configuration
|
|
|
|
- name: Create Docker security profiles directory
|
|
file:
|
|
path: /etc/docker/security
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
tags:
|
|
- docker
|
|
- security
|
|
|
|
- name: Install seccomp security profile
|
|
template:
|
|
src: seccomp-default.json.j2
|
|
dest: /etc/docker/seccomp-default.json
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- seccomp
|
|
|
|
- name: Install AppArmor profile for Docker
|
|
template:
|
|
src: docker-framework-apparmor.j2
|
|
dest: /etc/apparmor.d/docker-framework
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: reload apparmor
|
|
when: ansible_os_family == 'Debian'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- apparmor
|
|
|
|
- name: Load AppArmor profile
|
|
command: apparmor_parser -r -W /etc/apparmor.d/docker-framework
|
|
when: ansible_os_family == 'Debian'
|
|
changed_when: false
|
|
tags:
|
|
- docker
|
|
- security
|
|
- apparmor
|
|
|
|
- name: Configure user namespace mapping
|
|
template:
|
|
src: subuid.j2
|
|
dest: /etc/subuid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
tags:
|
|
- docker
|
|
- security
|
|
- userns
|
|
|
|
- name: Configure group namespace mapping
|
|
template:
|
|
src: subgid.j2
|
|
dest: /etc/subgid
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
tags:
|
|
- docker
|
|
- security
|
|
- userns
|
|
|
|
- name: Create Docker TLS certificates directory
|
|
file:
|
|
path: /etc/docker/certs
|
|
state: directory
|
|
owner: root
|
|
group: docker
|
|
mode: '0750'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- tls
|
|
|
|
- name: Generate Docker TLS certificates
|
|
command: >
|
|
openssl req -new -x509 -days 365 -nodes
|
|
-out /etc/docker/certs/server-cert.pem
|
|
-keyout /etc/docker/certs/server-key.pem
|
|
-subj "/CN={{ inventory_hostname }}"
|
|
args:
|
|
creates: /etc/docker/certs/server-cert.pem
|
|
tags:
|
|
- docker
|
|
- security
|
|
- tls
|
|
|
|
- name: Set correct permissions on Docker TLS certificates
|
|
file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
group: docker
|
|
mode: "{{ item.mode }}"
|
|
loop:
|
|
- { path: "/etc/docker/certs/server-cert.pem", mode: "0644" }
|
|
- { path: "/etc/docker/certs/server-key.pem", mode: "0640" }
|
|
tags:
|
|
- docker
|
|
- security
|
|
- tls
|
|
- permissions
|
|
|
|
- name: Configure Docker Content Trust
|
|
lineinfile:
|
|
path: /etc/environment
|
|
line: "DOCKER_CONTENT_TRUST=1"
|
|
create: true
|
|
when: environment == 'production'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- trust
|
|
|
|
- name: Install Docker security scanning tools
|
|
package:
|
|
name:
|
|
- runc
|
|
- docker-bench-security
|
|
state: present
|
|
ignore_errors: true
|
|
tags:
|
|
- docker
|
|
- security
|
|
- tools
|
|
|
|
- name: Create Docker security audit script
|
|
template:
|
|
src: docker-security-audit.sh.j2
|
|
dest: /usr/local/bin/docker-security-audit.sh
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- audit
|
|
|
|
- name: Schedule Docker security audits
|
|
cron:
|
|
name: "Docker security audit"
|
|
minute: "0"
|
|
hour: "5"
|
|
weekday: "1"
|
|
job: "/usr/local/bin/docker-security-audit.sh | mail -s 'Docker Security Audit - {{ inventory_hostname }}' {{ ssl_email }}"
|
|
user: root
|
|
when: environment == 'production'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- audit
|
|
- cron
|
|
|
|
- name: Configure Docker socket security
|
|
file:
|
|
path: /var/run/docker.sock
|
|
owner: root
|
|
group: docker
|
|
mode: '0660'
|
|
tags:
|
|
- docker
|
|
- security
|
|
- socket |