-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docker-fpm-frr] limit privileged flag for bgp container #14932
Conversation
Signed-off-by: Mai Bui <[email protected]>
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
@@ -28,7 +28,7 @@ SONIC_DOCKER_IMAGES += $(DOCKER_FPM_FRR) | |||
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_FPM_FRR_DBG) | |||
|
|||
$(DOCKER_FPM_FRR)_CONTAINER_NAME = bgp | |||
$(DOCKER_FPM_FRR)_RUN_OPT += --privileged -t | |||
$(DOCKER_FPM_FRR)_RUN_OPT += -t --cap-add=NET_ADMIN --cap-add=SYS_ADMIN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is sys_admin required here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
zebra will unexpectedly exited due to missing the required capabilities.
May 2 22:36:14.048947 str-s6000-acs-10 INFO bgp#supervisord: zebra privs_init: initial cap_set_proc failed: Operation not permitted
May 2 22:36:14.049851 str-s6000-acs-10 INFO bgp#supervisord: zebra Wanted caps: cap_net_admin,cap_net_raw,cap_sys_admin=p
May 2 22:36:14.050687 str-s6000-acs-10 INFO bgp#supervisord: zebra Have caps: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=p
May 2 22:36:14.064956 str-s6000-acs-10 INFO bgp#supervisord 2023-05-02 22:36:14,061 INFO exited: zebra (exit status 1; not expected)
@StormLiangMS @Yarden-Z could you help review this PR? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description of PR HLD implementation: Container Hardening (sonic-net/SONiC#1364) Dependency: sonic-net/sonic-buildimage#14932 #### What is the motivation for this PR? Check bgp container has access to /dev/sda* or /dev/vda* after limiting privileged flag to less Linux capabilities. #### How did you do it? #### How did you verify/test it? ``` container_hardening/test_container_hardening.py::test_bgp_dev PASSED [100%] ``` Signed-off-by: Mai Bui <[email protected]>
Why I did it HLD implementation: Container Hardening (sonic-net/SONiC#1364) Work item tracking Microsoft ADO (number only): 14807420 How I did it Reduce linux capabilities in privileged flag, retain NET_ADMIN and SYS_ADMIN capabilities How to verify it Install new image to DUT, verify bgp container is up Run bgp sonic-mgmt kvmtest
Description of PR HLD implementation: Container Hardening (sonic-net/SONiC#1364) Dependency: sonic-net/sonic-buildimage#14932 #### What is the motivation for this PR? Check bgp container has access to /dev/sda* or /dev/vda* after limiting privileged flag to less Linux capabilities. #### How did you do it? #### How did you verify/test it? ``` container_hardening/test_container_hardening.py::test_bgp_dev PASSED [100%] ``` Signed-off-by: Mai Bui <[email protected]>
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)
Work item tracking
How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN and SYS_ADMIN capabilities
How to verify it
Install new image to DUT, verify bgp container is up
Run bgp sonic-mgmt kvmtest
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)