From 5724e437d748ed925783fd548ff1262d1ef18ca6 Mon Sep 17 00:00:00 2001
From: chandi <git@chandi.it>
Date: Thu, 9 Apr 2020 08:02:08 +0200
Subject: [PATCH] reduced container privileges

---
 docker-compose.yml | 9 +++------
 setup.sh           | 2 --
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 807ab0f..e25e3fe 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,11 +3,10 @@ version: '2'
 services:
   bbb:
     image: bbb
-    privileged: true
     hostname: meet.livingutopia.org
     cap_add:
-      - NET_ADMIN
       - SYS_NICE # for realtime scheduling
+      - SYS_ADMIN # for systemd
     environment:
       - container=docker
     tmpfs:
@@ -15,7 +14,8 @@ services:
       - /run/lock
       - /tmp:exec,mode=777
     volumes:
-      - ./setup.sh:/opt/docker-bbb/setup.sh
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro # for systemd
+      - ./setup.sh:/opt/setup.sh
       - ./mod/freeswitch/vars.xml:/opt/freeswitch/conf/vars.xml
       - ./mod/freeswitch/external.xml:/opt/freeswitch/conf/sip_profiles/external.xml
       - ./mod/nginx/sip.nginx:/etc/bigbluebutton/nginx/sip.nginx
@@ -26,7 +26,4 @@ services:
       - ./mod/web/bigbluebutton.properties:/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties
       - ./mod/kurento/WebRtcEndpoint.conf.ini:/etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
       - ./mod/bbb-webrtc-sfu/config.yml:/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml
-      - ./rc.local:/etc/rc.local
-    security_opt:
-      - seccomp:unconfined
     network_mode: host
diff --git a/setup.sh b/setup.sh
index e901258..96f314e 100755
--- a/setup.sh
+++ b/setup.sh
@@ -5,8 +5,6 @@ HOST=meet.livingutopia.org
 TOMCAT_USER=tomcat7
 SERVLET_DIR=/usr/share/bbb-web
 
-echo $HOST > /etc/hostname
-
 TURN_XML=$SERVLET_DIR/WEB-INF/classes/spring/turn-stun-servers.xml
 
 while [ ! -f $SERVLET_DIR/WEB-INF/classes/bigbluebutton.properties ]; do sleep 1; echo -n '.'; done