From c9df5c67d4693130e29e392c5f84a93035e699c1 Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Thu, 24 Mar 2022 19:27:31 +0000 Subject: [PATCH 1/2] ci: Fix dogfood installation by forcing default configurations The dpkg prompt to override config files was appearing, but this will auto-approve it. --- .github/workflows/coder.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coder.yaml b/.github/workflows/coder.yaml index b0accfb2769ee..734c5ce896278 100644 --- a/.github/workflows/coder.yaml +++ b/.github/workflows/coder.yaml @@ -336,7 +336,7 @@ jobs: gcloud config set project coder-dogfood gcloud config set compute/zone us-central1-a gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb - gcloud compute ssh coder -- sudo dpkg -i /tmp/coder.deb + gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb gcloud compute ssh coder -- sudo systemctl daemon-reload - name: Start From 0c25def277c1e594eeb80ca2f5dfc4328464dd79 Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Thu, 24 Mar 2022 19:45:25 +0000 Subject: [PATCH 2/2] Add CAP_NET_BIND_SERVICE to allow listening on :443 --- coder.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coder.service b/coder.service index f777842385fcc..1f6b212cd5cf5 100644 --- a/coder.service +++ b/coder.service @@ -17,7 +17,7 @@ ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps -AmbientCapabilities=CAP_IPC_LOCK +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/bin/coder start