cmgrote
commented
5 years ago Done for Egeria itself (OMAG Server Platform / chassis and UI)
Closed planetf1 closed 3 years ago
cmgrote
commented
5 years ago Done for Egeria itself (OMAG Server Platform / chassis and UI)
github-actions[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
planetf1
commented
4 years ago still valid
planetf1
commented
4 years ago The remaining containers are likely to move in odpi/egeria#458. Leaving open and will revisit/transfer as appropriate after that change
planetf1
commented
3 years ago The VDC environment will need significant re-work to adapt to the many changes made in Egeria to better support metadata integration. Additionally the helm charts used for the lab & a simple base config have evolved to better support different types of services, exposing of ports, persistent storage etc.
As such specific incremental changes to the current - now old - charts do not really add value.
As such closing for now
Currently our containers typically run processes as root. To improve security it is desirable to instead run containers via a known uid/gid - this reduces any exposure via linux namespace bugs/leakage
See https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
Note also that containers should not run with additional proviliges where possible - any that require this must be clearly documented