exsilium
commented
7 years ago Hi! and Thanks!
This is a valid comment, --privileged is a lazy way out of it. The reasons for the privileged mode are tmpfs mounting, MongoDB and changing the process user/group when launching processes. Still, these can be controlled in a more detailed way through the --cap-add option.
Try the following instead of --privileged to see if it works:
--cap-add=SETUID
--cap-add=SETGID
--cap-add=SYS_ADMIN
--cap-add=DAC_READ_SEARCH
--cap-add=NET_BIND_SERVICE
--cap-add=SYS_PTRACESource: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
I'll keep the issue open until we can come to an agreement on what is the reasonable list of capabilities to give to the container and I'll commit the change.
Thanks for taking security seriously! 🥇 😎
First, thank you for putting this together, I was going to do this today, and googled it, and though I would try it out first.
I wanted to asked about the --privileged flag. Is it needed? Do we know why it's part of the run command? Ideally I like running my containers without it if possible.
John