kolla

Adding Capability and Security options to kolla-docker

Bug #1572648 reported by Serguei Bezverkhi on 2016-04-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla	Fix Released	Medium	Serguei Bezverkhi	kolla newton-1 "n1"

Bug Description

In some situation container needs to have additional capabilities and security options added. Example: Capability - cap_net_bind_service or SecurityOpt - seccomp=unconfined. The fix for this bug will add ability to specify this capabilities and security.

Serguei Bezverkhi (sbezverk) on 2016-04-20

Changed in kolla:
assignee:	nobody → Serguei Bezverkhi (sbezverk)

OpenStack Infra (hudson-openstack) on 2016-04-20

Changed in kolla:
status:	New → In Progress

Revision history for this message

Hui Kang (huikang27) wrote on 2016-04-20:

Hi, Serguer, could you explain in what situation these capabilities are needed? Thanks. - Hui

Changed in kolla:
status:	In Progress → Incomplete

Revision history for this message

Serguei Bezverkhi (sbezverk) wrote on 2016-04-20:

Recently we needed to allow a process to bind to a socket in the privilege rage 1-1024, it either requires root priv for this process or you can add capability net_bind_service to the container where this process runs. With Docker version 1.10 and higher, adding capabilities gets blocked by default to actually enable it you need to change default security profile. This is done by using security option for docker container. Please let me know if you have more questions.
Serguei

OpenStack Infra (hudson-openstack) on 2016-04-21

Changed in kolla:
status:	Incomplete → In Progress

Steven Dake (sdake) on 2016-05-04

Changed in kolla:
importance:	Undecided → Medium
milestone:	none → newton-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-04: Fix merged to kolla (master)

Reviewed: https://review.openstack.org/308447
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=a08a762f30e40dcfd436d76c58e9ce1d989a4a69
Submitter: Jenkins
Branch: master

commit a08a762f30e40dcfd436d76c58e9ce1d989a4a69
Author: Serguei Bezverkhi <email address hidden>
Date: Wed Apr 20 12:13:36 2016 -0400

Adding ability to specify capabilities and security

This patch adds ability to specify required capabilities and security
mode for a specific docker container.

Change-Id: Ib8c15a8e354178bedd31ebb31a64618431f0e135
Closes-Bug: #1572648

Changed in kolla:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-06: Fix included in openstack/kolla 3.0.0.0b1

This issue was fixed in the openstack/kolla 3.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.