Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / ff7452b586134e18af9f1362d7b96dcb64aa8d71
commitff7452b586134e18af9f1362d7b96dcb64aa8d71[log] [tgz]
authorJan Schär <jan@monogon.tech>Thu Nov 28 13:08:55 2024 +0100
committerJan Schär <jan@monogon.tech>Thu Nov 28 14:45:57 2024 +0000
tree7e3b9fe5c161cedf1073a086d0b6e5511b20bd98
parent231ee041b652ab2aea6a64e0c4929fa4beb5851b [diff]
m/node/kubernetes: mount PVs with noexec on the host

Now that runc always replaces per-mount-point flags when bind-mounting
volumes inside the container, we can mount them with noexec on the host
without affecting workloads. This has some security advantages, as any
executables in volumes are no longer executable from the host.

Change-Id: Id5a8ea8caf702fca58d300fc9e17c21e94ebaf13
Reviewed-on: https://review.monogon.dev/c/monogon/+/3660
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI
1 file changed
tree: 7e3b9fe5c161cedf1073a086d0b6e5511b20bd98
  1. .github/
  2. build/
  3. cloud/
  4. go/
  5. intellij/
  6. metropolis/
  7. osbase/
  8. third_party/
  9. tools/
  10. version/
  11. .bazelignore
  12. .bazelproject
  13. .bazelrc
  14. .bazelrc.ci
  15. .bazelrc.sandboxroot
  16. .bazelversion
  17. .git-ignore-revs
  18. .gitignore
  19. BUILD.bazel
  20. CODING_STANDARDS.md
  21. go.mod
  22. go.sum
  23. LICENSE
  24. MODULE.bazel
  25. MODULE.bazel.lock
  26. README.md
  27. SETUP.md
  28. shell.nix
  29. WORKSPACE
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Platform.

This is pre-release software - take a look, and check back later! In the meantime, join us on Matrix (#monogon-os-community:matrix.org) or Discord.

Environment

Our build environment is self-contained and requires only minimal host dependencies:

  • A Linux machine or VM.
  • Bazelisk >= v1.15.0 (or a working Nix environment).
  • A reasonably recent kernel with user namespaces enabled.
  • Working KVM with access to /dev/kvm (if you want to run tests).

Our docs assume that Bazelisk is available as bazel on your PATH.

Refer to SETUP.md for detailed instructions.

Monogon OS

The source code lives in //metropolis (Metropolis is the codename of Monogon OS).

See the //metropolis/README.md for a developer quick start guide, or see the Monogon OS Handbook for user documentation.