plesk / docker

Dockerfiles for Plesk
Other
95 stars 50 forks source link

Fix #47: Document cgroups args changes #50

Closed sibprogrammer closed 3 months ago

vizovitin commented 3 months ago

While it would be slightly more secure to run with --cgroupns=private, which in general works, it seems to require more setup in some cases and may not work well on some configurations (didn't check the latter, so mostly speculation from my side). So --cgroupns=host is probably not much worse than what we had before with Cgroups v1.

However, I propose to additionally add --cap-add SYS_ADMIN --security-opt apparmor=unconfined, which get rid of some warnings during init and some undesired behaviors during stop. Probably doesn't make the security much worse anyway.

For future reference: