Open JohnOmernik opened 7 years ago
Hi! and Thanks!
This is a valid comment, --privileged
is a lazy way out of it. The reasons for the privileged mode are tmpfs mounting, MongoDB and changing the process user/group when launching processes. Still, these can be controlled in a more detailed way through the --cap-add
option.
Try the following instead of --privileged
to see if it works:
--cap-add=SETUID
--cap-add=SETGID
--cap-add=SYS_ADMIN
--cap-add=DAC_READ_SEARCH
--cap-add=NET_BIND_SERVICE
--cap-add=SYS_PTRACE
Source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
I'll keep the issue open until we can come to an agreement on what is the reasonable list of capabilities to give to the container and I'll commit the change.
Thanks for taking security seriously! 🥇 😎
First, thank you for putting this together, I was going to do this today, and googled it, and though I would try it out first.
I wanted to asked about the --privileged flag. Is it needed? Do we know why it's part of the run command? Ideally I like running my containers without it if possible.
John