[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] Oneway - a way to drop privileges inside containers and lock it like that
- From: Daniel J Walsh <dwalsh redhat com>
- To: Muayyad AlSadi <alsadi gmail com>, atomic-devel <atomic-devel projectatomic io>
- Subject: Re: [atomic-devel] Oneway - a way to drop privileges inside containers and lock it like that
- Date: Tue, 6 Sep 2016 14:05:28 -0400
A couple of things. 1 you could use real systemd rather then using some
other init system.
Secondly and perhaps conflicting, is why not run apache as non root to
start rather then dropping
privs. Apache will run perfectly fine without requiring root privs.
Also you could set the NO_NEW_PRIVS
right in docker/k8s.
On 09/06/2016 01:46 PM, Muayyad AlSadi wrote:
>
> Hi,
>
> Typical fictional unicorn containers should have one process
>
> On practice it's actually processes of one concern ex. Apache
>
> One issue is that your entry point /start.sh should exec to replace
> the shell (so that application process would recieve signals)
>
> Since start.sh is pid 1 it has the responsibility to handle zombies.
> For this we can use yelp's dumb-init (which is almost to be pushed to
> official repo and already in copr)
>
> https://github.com/Yelp/dumb-init
>
> Typically our start.sh start confd in background using nohup
>
> Then I exec my application but I would like to drop privileges, first
> I used exec sudo or exec su but it wont replace the proces.
>
> I wrote a simple application that drop groups , supplementary groups
> and user
>
> Not only that but also it can optionally set
> PR_SET_NO_NEW_PRIVS with prctl
> So that it will never get more privileges even with sudo/su.
>
> What do you think?
>
> https://github.com/muayyad-alsadi/oneway/blob/master/README.md
>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]