Skip to content

Integrate Docker (maximum requirements) #535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 of 13 tasks
php-coder opened this issue Feb 21, 2017 · 0 comments
Open
2 of 13 tasks

Integrate Docker (maximum requirements) #535

php-coder opened this issue Feb 21, 2017 · 0 comments
Assignees
@php-coder
Labels
area/documentation area/infrastructure environment/prod Issue affects only production environment impact/changelog This change should be reflected in the NEWS.txt file impact/deploy Manual actions will be required during deployment
Milestone
next

Comments

@php-coder
Copy link
Owner

php-coder commented Feb 21, 2017
edited
Loading

Follow-up to #534
@php-coder php-coder added area/documentation area/infrastructure environment/prod Issue affects only production environment impact/changelog This change should be reflected in the NEWS.txt file impact/deploy Manual actions will be required during deployment labels Feb 21, 2017
@php-coder php-coder added this to the next milestone Feb 21, 2017
@php-coder php-coder self-assigned this Feb 21, 2017
@php-coder php-coder changed the title Integrate Docker (with maximum requirements) Integrate Docker (maximum requirements) Feb 21, 2017
php-coder added a commit that referenced this issue Aug 27, 2018
@php-coder
docker: run a container without bounded capabilities.
f2e2407 
Before:
$ docker-compose run --rm web grep ^Cap /proc/1/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

$ docker-compose run --rm web capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(mystamps)
gid=1000(mystamps)
groups=

After:
$ docker-compose run --rm web capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(mystamps)
gid=1000(mystamps)
groups=

$ docker-compose run --rm web grep ^Cap /proc/1/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000000000000000
CapAmb: 0000000000000000

Details:
- http://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/
- https://docs.docker.com/compose/compose-file/#cap_add-cap_drop

Addressed to #535

[ci skip]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@php-coder php-coder

Labels
area/documentation area/infrastructure environment/prod Issue affects only production environment impact/changelog This change should be reflected in the NEWS.txt file impact/deploy Manual actions will be required during deployment
Projects
None yet
Milestone
next
Development

No branches or pull requests
1 participant
@php-coder