Why do you use this setting in Dockerfile: apt-mark hold iptables?

mviereck / dockerfile-x11docker-deepin

3D desktop deepin from China

MIT License

33 stars 11 forks source link

Why do you use this setting in Dockerfile: apt-mark hold iptables? #10

Closed hongyi-zhao closed 3 years ago

hongyi-zhao commented 3 years ago

Hi,

I noticed that you hold back the iptables in the Dockerfile here. But I really can't understand why you did this.

Any hints will be highly appreciated.

Regards, HY

mviereck commented 3 years ago

I once had issues updating iptables during docker build and the build failed. IIRC iptables needs some capabilities that are disabled by default in docker, and/or apt tried to restart it and failed.

hongyi-zhao commented 3 years ago

I created an image including iptables with this Dockerfile and it can run smoothly without any problem when starting by the following command:

$ x11docker --sudouser -c --hostnet --keepcache --desktop --init=systemd -- --cap-add=ALL --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine startdde

mviereck commented 3 years ago

You should never use --cap-add=ALL as a solution for anything. It is a security leak. If at all, try to find the one capability that is needed, read about it and assess if it is worth the security risk. Edit: The worst and most dangerous capability is SYS_ADMIN.