search

moosefs / moosefs-docker-cluster

Multiple node MooseFS cluster on Docker
https://moosefs.com
GNU General Public License v2.0
77 stars 27 forks source link

Too much privilege #4

Closed antoinetran closed 6 years ago

antoinetran commented 6 years ago

All containers in docker-compose.yml have privileged: true but they shouldn't because this is a bad practice. In fact, only MooseFs client needs some kind of privilege:

mfsclient:
    image: moosefs/client  #use GitHub version
    #build: ./moosefs-client  #use local version
    cap_add:
      # Needed for mount.
      - SYS_ADMIN

We have for months such a configuration and it works well (in CentOs base image).

karolmajek commented 6 years ago

You are right, thanks! Was able to run it using:

    cap_add:
      # Needed for mount.
      - SYS_ADMIN
    devices:
      # Needed for mount.
      - /dev/fuse:/dev/fuse
    security_opt:
      # Needed for mount.
      - apparmor:unconfined
antoinetran commented 6 years ago

Oh, you're right, I forgot to mention /dev/fuse. We didn't need apparmor:unconfined, but I guess this is because of selinux we disabled. Also, FYI, we had to configure in docker host the mount type as shared instead of private, for our container to be seen in host and containers.

antoinetran commented 6 years ago

Also, I saw the fixes in the commits: mfschunks and mfsmaster don't need theses SYS_ADMIN or /dev/fuse, I am sure of that. I am not sure for apparmor.

karolmajek commented 6 years ago

Yes, agree - chunkservers and master does not require extra privileges. Aparmor is required for Ubuntu - it refuses to mount without it. Here: https://github.com/moosefs/moosefs-docker-cluster/blob/master/docker-compose-chunkserver-client.yml? There should be chunkservers with clients, but they are without mounts (see commented lines with build) Will fix it, thanks a lot!