Drop as much capabilities as possibile for the Collabora container

[Fs00]

As per their official docs, the Collabora container doesn't need any other capabilities in addition to those explicitly added to run correctly. Furthermore, when the seccomp profile is used, it doesn't need any capabilities at all.

This PR implements the required changes to run the Collabora container with cap-drop=ALL, and also removes all added capabilities when the container is run with the seccomp profile. I can confirm that the latter scenario works fine, because I've tested it on a manual-install customized to use the seccomp profile.

[szaimen]

Hi, thanks a lot for the PR! I just invited you to the repo to simplify cooperation in the future :)

General, I agree with the idea, however in the current state, this will likely break collabora on manual-instance and helm chart as the changes from containers.json are later automatically synced to manual-install and then helm chart. So to make this work on all instances, you would probably need to adjust the containers.json and add the seccomp profile there so that it also is used by manual-install and helm-chart of the box.

Please also ensure that update-helm.sh automatically translates the change into working kubernetes yaml.

[Fs00]

I just invited you to the repo to simplify cooperation in the future

Thanks for the invitation but I'll pass, I don't expect to regularly contribute with PRs in the future 🙌🏻

this will likely break collabora on manual-instance and helm chart

No it shouldn't, the Collabora container definition in containers.json already adds the capabilities that are required when not using the seccomp profile (those are also listed in the Collabora docs page I linked above). cap_drop: ALL doesn't drop capabilities added by cap_add.

My main goal here is to make the AIO mastercontainer fully leverage the seccomp profile by removing all capabilities when it's enabled. I don't have any experience with Helm/Kubernetes so I don't know how I could adapt the Helm chart to work with the seccomp profile.

[szaimen]

I just invited you to the repo to simplify cooperation in the future

Thanks for the invitation but I'll pass, I don't expect to regularly contribute with PRs in the future 🙌🏻

this will likely break collabora on manual-instance and helm chart

No it shouldn't, the Collabora container definition in containers.json already adds the capabilities that are required when not using the seccomp profile (those are also listed in the Collabora docs page I linked above). cap_drop: ALL doesn't drop capabilities added by cap_add.

My main goal here is to make the AIO mastercontainer fully leverage the seccomp profile by removing all capabilities when it's enabled. I don't have any experience with Helm/Kubernetes so I don't know how I could adapt the Helm chart to work with the seccomp profile.

I see makes sense. Then please only fix the comment above and we can go ahead with merging this 👍

[szaimen]

Can you please put the logic back to where it was initially places in this file?