Support CapAdd And CapDrop in Docker driver #3695
Comments
|
References for implementers:
|
|
I can try implementing this if no one is working on it yet. |
|
@filipochnik No one on the HashiCorp team has gotten around to it yet, so please do! |
|
@schmichael I think I have it working. One thing that came to my mind in the process is that it might be useful to have an option to specify whitelist and blacklist for capabilities in the client config (probably here https://www.nomadproject.io/docs/drivers/docker.html#client-configuration). What do you think? It looks a bit tricky to implement given the special semantics of the ALL capability. |
|
@filipochnik could you please check for tmpfs and readonlyrootfs options for docker driver? I think you can implement them really fast after digging to nomad docker driver. |
|
@alxark I'll try to, once I'm done with this :) |
|
@filipochnik will be just great =) |
|
Closed by #3754 |
|
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
In order to run docker containers more securely, i would like to drop container privileges - and hence pass some extra args for the nomad - docker engine api container create call.
"CapAdd": [
".."
],
"CapDrop": [
"..."
],
http://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/
https://opensource.com/business/15/3/docker-security-tuning
The text was updated successfully, but these errors were encountered: