-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker build & security-relevant parameters #39433
Comments
Does rootless mode cover your requirement? |
Hi @AkihiroSuda, sorry for this incredibly delayed answer, as often, the reading on this was not connected to a very high priority project. I don't think rootless mode covers the idea to restrict build-time containers. From what I see so far rootless mode seems to result in significantly higher privileges for the executed container besides the actual uid than default containers. I.e. when I follow this description using rootlesskit and slirp4netns, the container executed by the rootless docker environment has the following capabilities: In addition, as documented, the container is executed without apparmor profile. For my scenario, the ability to start a container as non-root is not the relevant requirement but to restrict the executed build-time container as much as possible. Thank you & best, |
These capabilities are fake and limited in the user namespace |
Maybe you want to try running kaniko |
That of course makes sense on proper thought, thank you! Kaniko is definitely an option; but does that recommendation mean that there are no plans to integrate |
Contribution is wanted |
Dear Team,
I have a more general question that does not really fit the provided Issue template, apologies.
I was digging into options of dropping container privileges during build (capabilities, blocking more syscalls than the default, supplying a more restrictive apparmor profile, starting build container as non-root) and it is not possible. This issue was raised a couple of times with a focus on sec-comp (e.g. #37332, #34454), but I wanted to widen the scope for all the great security options that exist for docker run.
I fully understand the argument from the other issues that built images should be portable (which may be impacted by using higher privileges), but in my opinion it would be quite important to be able to drop privileges as container build systems are everywhere now and securing them is quite a challenge. From a quick brainstorming perspective, I also don't see how that would impact portability (especially since the target audience would probably be environments that want to apply the same runtime hardening to build and run systems).
Any ideas whether that could be put on any roadmap?
Thanks for your consideration & best,
Matthias
The text was updated successfully, but these errors were encountered: