Drop unused capabilities from containers

Bug #1636424 reported by Christian Berendt on 2016-10-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Wishlist
Steven Dake

Bug Description

With Docker it is possible to drop unused capabilities from containers. It should be checked if it is possible there are unused capabilities that can be dropped by default (e.g. mknod).

http://rhelblog.redhat.com/2016/10/17/secure-your-containers-with-this-one-weird-trick/

Changed in kolla:
milestone: none → ocata-1
Steven Dake (sdake) wrote :

This is a feature, and should be tracked in a blueprint. We have known for some time that capabilities tuning would be beneficial to Kolla - just no time to do the implementation.

FWIW if I was prioritizing this blueprint, I'd say its essential for ocata.

Please file a blueprint.

Thanks
-steve

Changed in kolla:
status: New → Incomplete
importance: Undecided → High
importance: High → Wishlist
assignee: nobody → Steven Dake (sdake)
Changed in kolla:
milestone: ocata-1 → ocata-2
Changed in kolla:
milestone: ocata-2 → ocata-3
Christian Berendt (berendt) wrote :
Changed in kolla:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers