Dockered Varnish configuration options need tweaking #1519
Description
Description of the enhancement
The docker-compose.yml for the Skosmos test environment had problems with skosmos-fuseki-cache Varnish instance, and in needed to be started with seccomp:unconfined option (as per this message). A better workaround should be written. OTOH, version updates to the Skosmos test stack might render this configuration unnecessary, in which case we should not keep it longer than we need to.
Who are the users that would benefit from the enhancement and how?
This security downgrade was needed since some users couldn't run the docker compose file (the Varnish image, to be precise). This was the effect at least with Ubuntu 20.04 LTS. Results can vary with different Linux versions.
How does the problem manifest?
The problem can be seen by running:
docker run -it --security-opt seccomp=default.json varnish // works
docker run -it varnish // on some machines, exits at startup with error code 139
The error message can be seen in the output for docker compose up:
skosmos-fuseki-cache | Assert error in VSUB_closefrom(), vsub.c line 71:
skosmos-fuseki-cache | Condition((close_range(fd, ~0U, 0)) == 0) not true.
skosmos-fuseki-cache | errno = 1 (Operation not permitted)
skosmos-fuseki-cache exited with code 139
Some more info on the effects this error was generating can be seen e.g. by docker compose logs:
PHP Warning: fsockopen(): Unable to connect to fuseki-cache:80 (php_network_getaddresses: getaddrinfo for fuseki-cache failed: Temporary failure in name resolution) in /var/www/html/vendor/sweetrdf/easyrdf/lib/Http/Client.php on line 435, referer: http://localhost:9090/test/fi/