You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+12-9
Original file line number
Diff line number
Diff line change
@@ -35,21 +35,24 @@ NOTE: OpenShift Origin 1.0 has been released [releases page](https://github.com/
35
35
36
36
Security!!!
37
37
-------------------
38
-
OpenShift is a system that runs Docker containers on your machine. In some cases (build operations) it does so using privileged containers. Those containers access your host's Docker daemon and perform `docker build` and `docker push` operations. As such, you should be aware of the inherent security risks associated with performing `docker build` operations on arbitrary images as they have effective root access. This is particularly relevant when running the OpenShift as a node directly on your laptop or primary workstation. Only build and run code you trust.
38
+
OpenShift runs with the following security policy by default:
39
39
40
-
For more information on the security of containers, see these articles:
Consider using images from trusted parties, building them yourself on OpenShift, or only running containers that run as non-root users.
40
+
* Containers run as a non-root unique user that is separate from other system users
41
+
* They cannot access host resources, run privileged, or become root
42
+
* They are given CPU and memory limits defined by the system administrator
43
+
* Any persistent storage they access will be under a unique SELinux label, which prevents others from seeing their content
44
+
* These settings are per project, so containers in different projects cannot see each other by default
45
+
* Regular users can run Docker, source, and custom builds
46
+
* By default, Docker builds can (and often do) run as root. You can control who can create Docker builds through the `builds/docker` and `builds/custom` policy resource.
47
+
* Regular users and project admins cannot change their security quotas.
46
48
49
+
See the [security documentation](https://docs.openshift.org/latest/admin_guide/manage_scc.html) for more on managing these restrictions.
47
50
48
51
Getting Started
49
52
---------------
50
-
The easiest way to run OpenShift Origin is in a Docker container (OpenShift requires Docker 1.6 or higher or 1.6.2 on CentOS/RHEL):
53
+
The easiest way to run OpenShift Origin is in a Docker container (OpenShift requires Docker 1.6.2 or higher):
51
54
52
-
**Important!**: Docker 1.7 changed mount propagation to PRIVATE, which [breaks](https://github.com/openshift/origin/issues/3072) running OpenShift inside a container. If you are on Docker 1.7 you will need to use the [Vagrant](CONTRIBUTING.adoc#develop-on-virtual-machine-using-vagrant) or binary installation paths.
55
+
**Important!**: Docker on non-RedHat distributions (Ubuntu, Debian, boot2docker) has mount propagation PRIVATE, which [breaks](https://github.com/openshift/origin/issues/3072) running OpenShift inside a container. Please use the [Vagrant](CONTRIBUTING.adoc#develop-on-virtual-machine-using-vagrant) or binary installation paths on those distributions.
0 commit comments