Skip to content

[docker-teamd] limit privileged flag for teamd container#15829

Merged
qiluo-msft merged 1 commit intosonic-net:masterfrom
maipbui:teamd_priv
Aug 17, 2023
Merged

[docker-teamd] limit privileged flag for teamd container#15829
qiluo-msft merged 1 commit intosonic-net:masterfrom
maipbui:teamd_priv

Conversation

@maipbui
Copy link
Contributor

@maipbui maipbui commented Jul 13, 2023
edited
Loading

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
  • Microsoft ADO (number only): 14807420

How I did it

Reduce linux capabilities in privileged flag, retain NET_ADMIN capability

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@maipbui
[docker-teamd] limit privileged flag for teamd container
e3a3dd6 
Signed-off-by: Mai Bui <maibui@microsoft.com>
@maipbui maipbui mentioned this pull request Jul 13, 2023
Merged
@qiluo-msft qiluo-msft requested a review from Yarden-Z July 13, 2023 21:37
@maipbui maipbui requested a review from judyjoseph August 15, 2023 18:26
@judyjoseph
Copy link
Contributor

judyjoseph commented Aug 15, 2023

Looks ok here for teamd, one question on below capability.

NET_RAW | Use RAW and PACKET sockets

    Is this needed for doing tcpdump inside the docker container ? 
    In the multi-asic platforms we usually go into one of these dockers in the "asic" namespace and do a tcpdump
    as the interfaces are present in the namespace.

Another interesting capability is below

NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024).

  Not significant to L2 protocols like LLDP, LACP, but would need to set this in case of frr docker, as we have BGP bould to port 179.

@maipbui
Copy link
Contributor Author

maipbui commented Aug 15, 2023

Looks ok here for teamd, one question on below capability.

NET_RAW | Use RAW and PACKET sockets

    Is this needed for doing tcpdump inside the docker container ? 
    In the multi-asic platforms we usually go into one of these dockers in the "asic" namespace and do a tcpdump
    as the interfaces are present in the namespace.

Another interesting capability is below

NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024).

  Not significant to L2 protocols like LLDP, LACP, but would need to set this in case of frr docker, as we have BGP bould to port 179.

@judyjoseph both NET_RAW and NET_BIND_SERVICE caps are granted by default if not use --privileged flag, check this ref: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

@maipbui maipbui marked this pull request as ready for review August 15, 2023 22:47
@maipbui maipbui requested review from lguohan and xumia as code owners August 15, 2023 22:47
@qiluo-msft qiluo-msft merged commit 6c96b29 into sonic-net:master Aug 17, 2023
@maipbui maipbui deleted the teamd_priv branch August 17, 2023 16:49
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
@maipbui @sonic-otn
[docker-teamd] limit privileged flag for teamd container (sonic-net#1…
613956c 
…5829)

Signed-off-by: Mai Bui <maibui@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@judyjoseph judyjoseph judyjoseph approved these changes

@Yarden-Z Yarden-Z Yarden-Z approved these changes

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maipbui @judyjoseph @qiluo-msft @Yarden-Z