You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are currently using the --privileged flag when running Docker in the acceptance test. This is done to run KVM inside but basically gives the container full root access on the host.
Solution
Use options such as --device and --cap-add to only give the container the exact permissions we need.
Access to the Docker API is effectively root access. Even lacking --privileged, there are numerous mechanisms to avoid system policy if one has access to the docker socket or API.
It seems that when a user has access to docker, that user essentially has root access. If we were going to have root access anyway, I figured it's better to make that obvious by using sudo so the next person touching the code will be aware of it.
It could be a good idea to also investigate if there are side-effects to that and if it that was a terrible idea.
The text was updated successfully, but these errors were encountered:
Problem
We are currently using the
--privilegedflag when running Docker in the acceptance test. This is done to run KVM inside but basically gives the container full root access on the host.Solution
Use options such as
--deviceand--cap-addto only give the container the exact permissions we need.Remarks
moby/moby#9976
It seems that when a user has access to docker, that user essentially has root access. If we were going to have root access anyway, I figured it's better to make that obvious by using sudo so the next person touching the code will be aware of it.
It could be a good idea to also investigate if there are side-effects to that and if it that was a terrible idea.
The text was updated successfully, but these errors were encountered: