Set cert volume read only

vmware · Feb 6, 2018 · f72e592 · f72e592
1 parent a0d42d3
commit f72e592
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 19 deletions.
diff --git a/installer/build/scripts/vic-machine-server/vic-machine-server.service b/installer/build/scripts/vic-machine-server/vic-machine-server.service
@@ -12,7 +12,7 @@ EnvironmentFile=/etc/vmware/environment
 ExecStartPre=-/usr/bin/docker kill vic-machine-server
 ExecStartPre=-/usr/bin/docker rm -f vic-machine-server
 ExecStartPre=/etc/vmware/vic-machine-server/configure-vic-machine-server.sh
-ExecStart=/usr/bin/docker run --rm --user 10000:10000 --name vic-machine-server -v /storage/data/certs:/certs -v /storage/log/vic-machine-server:/var/log/vic-machine-server -p ${VIC_MACHINE_SERVER_PORT}:443 vmware/vic-machine-server:ova
+ExecStart=/usr/bin/docker run --rm --user 10000:10000 --name vic-machine-server -v /storage/data/certs:/certs:ro -v /storage/log/vic-machine-server:/var/log/vic-machine-server -p ${VIC_MACHINE_SERVER_PORT}:443 vmware/vic-machine-server:ova
 ExecStop=/usr/bin/docker stop vic-machine-server
 
 [Install]

diff --git a/installer/docs/DESIGN.md b/installer/docs/DESIGN.md
@@ -161,6 +161,24 @@ Components SHOULD run as a Docker container unless there is strong justification
 inclusion method that is approved by the appliance team.
 All processes on the appliance should run with the least privilege required.
 
+The appliance provides a TLS certificate in `/storage/data/certs/`. The system generates a
+self-signed TLS certificate or places a user specified TLS certificate in this directory. All
+components should use this certificate for user facing connections and can access it by mounting
+this directory as a read only volume to the component container
+(`-v /storage/data/certs:/path/on/container:ro`)
+
+`/storage/data/certs/` contains:
+```
+- cert_gen_type    # self-signed or custom
+- ca.srl           # CA serial
+- ca.crt           # CA certificate
+- ca.key           # CA private key
+- server.csr       # server CSR
+- server.crt       # server certificate
+- server.key       # server private key
+- extfile.cnf      # extfile for SAN
+```
+
 ### Requirements
 
 - User ID `10000` MUST be used as the unprivileged user for components
@@ -315,24 +333,6 @@ Component startup scripts:
 - /etc/vmware/harbor
 ```
 
-The appliance provides a TLS certificate in `/storage/data/certs/`. The system generates a
-self-signed TLS certificate or places a user specified TLS certificate in this directory. All
-components should use this certificate for user facing connections and can access it by mounting
-this directory as a read only volume to the component container
-(`-v /storage/data/certs:/path/on/container:ro`)
-
-`/storage/data/certs/` contains:
-```
-- cert_gen_type    # self-signed or custom
-- ca.srl           # CA serial
-- ca.crt           # CA certificate
-- ca.key           # CA private key
-- server.csr       # server CSR
-- server.crt       # server certificate
-- server.key       # server private key
-- extfile.cnf      # extfile for SAN
-```
-
 
 ## Logging