Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docker-nat] limit privileged flag for nat container #17756

Merged
merged 2 commits into from
Jan 26, 2024
Merged

[docker-nat] limit privileged flag for nat container #17756

merged 2 commits into from
Jan 26, 2024

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented Jan 11, 2024

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
  • Microsoft ADO (number only): 14807420

How I did it

Reduce linux capabilities in privileged flag

How to verify it

Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.

admin@vlab-01:~$ docker inspect nat | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it nat bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@qiluo-msft
Copy link
Collaborator

@kirankella Could you help review this PR?

qiluo-msft
qiluo-msft previously approved these changes Jan 11, 2024
View reviewed changes
@maipbui
Copy link
Contributor Author

maipbui commented Jan 16, 2024

@kirankella @stepanblyschak @abdosi could you help review this PR?

@stepanblyschak
Copy link
Collaborator

stepanblyschak commented Jan 16, 2024
edited
Loading

@maipbui If nat is no longer priviledged does any application inside NAT require at least --cap-add=NET_ADMIN? E.g. for conntrack?

@maipbui
add NET_ADMIN
573c886 
Signed-off-by: Mai Bui <[email protected]>
@maipbui
Copy link
Contributor Author

maipbui commented Jan 16, 2024

@maipbui If nat is no longer priviledged does any application inside NAT require at least --cap-add=NET_ADMIN? E.g. for conntrack?

Yes, NAT needs NET_ADMIN for conntrack in restore_nat_entries, thank you

@maipbui
Copy link
Contributor Author

maipbui commented Jan 18, 2024

@stepanblyschak could you help review again?

@qiluo-msft
Copy link
Collaborator

@kirankella Could you help review?

@maipbui
Copy link
Contributor Author

maipbui commented Jan 23, 2024

@stepanblyschak @kirankella could you help review?

@maipbui maipbui mentioned this pull request Jan 23, 2024
Merged
@qiluo-msft qiluo-msft merged commit e8b1722 into sonic-net:master Jan 26, 2024
19 checks passed
@maipbui maipbui deleted the nat_priv branch January 26, 2024 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stepanblyschak stepanblyschak stepanblyschak approved these changes

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@abdosi abdosi Awaiting requested review from abdosi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maipbui @qiluo-msft @stepanblyschak