From cf72683f12da2cf8705d3873d12c8447bdec3699 Mon Sep 17 00:00:00 2001 From: Andriy Dobush <78359998+andriydnvd@users.noreply.github.com> Date: Tue, 15 Aug 2023 21:18:50 +0300 Subject: [PATCH] Remove privileged flag for database and snmp docker (#13783) #### Why I did it Reduce docker privilege This is part of HLD https://github.com/sonic-net/SONiC/pull/1364 #### How I did it Remove flag --privileged #### How to verify it docker exec -it database bash root@0048b82b460b:/# ip link add dummy0 type dummy RTNETLINK answers: Operation not permitted --- rules/docker-database.mk | 2 +- rules/docker-snmp.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/docker-database.mk b/rules/docker-database.mk index a10609933c35..48f3b88a0294 100644 --- a/rules/docker-database.mk +++ b/rules/docker-database.mk @@ -25,7 +25,7 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_DATABASE_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_DATABASE_DBG) $(DOCKER_DATABASE)_CONTAINER_NAME = database -$(DOCKER_DATABASE)_RUN_OPT += --privileged -t +$(DOCKER_DATABASE)_RUN_OPT += -t $(DOCKER_DATABASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_DATABASE)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro diff --git a/rules/docker-snmp.mk b/rules/docker-snmp.mk index d350540dbe2f..00c20ab6cf72 100644 --- a/rules/docker-snmp.mk +++ b/rules/docker-snmp.mk @@ -28,7 +28,7 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_DBG) $(DOCKER_SNMP)_CONTAINER_NAME = snmp -$(DOCKER_SNMP)_RUN_OPT += --privileged -t +$(DOCKER_SNMP)_RUN_OPT += -t $(DOCKER_SNMP)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_SNMP)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro $(DOCKER_SNMP)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)