[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"



You can also set the net bind capability in your image and then
regular users can bind to 80.

https://github.com/openshift/origin/blob/master/images/router/haproxy/Dockerfile#L20

On Tue, Nov 17, 2015 at 3:35 AM, Charles Sabourdin
<kanedafromparis gmail com> wrote:
> I wonder, since the docker will be map using a dedicated route, don't you
> think it's wiser (more secure) to let run ngnix on another port with less
> privileges let's say 9090 then map your openshift route to it ?
>
> (It might not be that simple, but worth asking ;-)
>
> Le 17 nov. 2015 5:24 AM, "Clayton Coleman" <ccoleman redhat com> a écrit :
>>
>> Yes, you can do that
>>
>> On Nov 16, 2015, at 10:55 PM, Jason DeTiberus <jdetiber redhat com> wrote:
>>
>>
>> On Nov 16, 2015 10:49 PM, "Clayton Coleman" <ccoleman redhat com> wrote:
>> >
>> > Yes - but if you enable the experimental user namespaces feature in
>> > docker 1.9, you won't be able to run routers or admin level pods on nodes.
>> > Until we get fixes into a Docker it's somewhat limiting.
>>
>> Is this something that can be worked around by using "infra" nodes to host
>> the routers and admin level pods with user namespaces disabled and enabling
>> user namespaces elsewhere?
>>
>> >
>> > On Nov 16, 2015, at 8:57 PM, Philippe Lafoucrière
>> > <philippe lafoucriere tech-angels com> wrote:
>> >
>> >> Hmm, I'm not talking about "privileged" containers (in the docker way),
>> >> I just want to run standard containers that users can find on the docker
>> >> hub, like "nginx". It doesn't have to run privileged, it's just running as
>> >> root inside.
>> >> As this image does as well:
>> >> https://github.com/nginxinc/openshift-nginx
>> >> It needs to run as root to bind the port 80 (but not only).
>> >>
>> >> Thanks
>> >>
>> >
>> >
>> > _______________________________________________
>> > users mailing list
>> > users lists openshift redhat com
>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> >
>>
>>
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]