Skip to content

[docker-restapi] limit privileged flag for restapi container#17138

Merged
xumia merged 1 commit intosonic-net:masterfrom
maipbui:restapi_priv
Nov 21, 2023
Merged

[docker-restapi] limit privileged flag for restapi container#17138
xumia merged 1 commit intosonic-net:masterfrom
maipbui:restapi_priv

Conversation

@maipbui
Copy link
Contributor

@maipbui maipbui commented Nov 10, 2023

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
  • Microsoft ADO (number only): 14807420

How I did it

Reduce linux capabilities in privileged flag

How to verify it

Run restapi sonic-mgmt tests on sn4600c
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.

admin@vlab-01:~$ docker inspect restapi | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it restapi bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@maipbui
[docker-restapi] limit privileged flag for restapi container
0b29390 
Signed-off-by: Mai Bui <maibui@microsoft.com>
@maipbui maipbui requested a review from prsunny November 10, 2023 21:30
@maipbui
Copy link
Contributor Author

maipbui commented Nov 13, 2023

@prsunny Could you help review this PR?

@maipbui maipbui mentioned this pull request Nov 17, 2023
Merged
@maipbui
Copy link
Contributor Author

maipbui commented Nov 20, 2023

@prsunny @theasianpianist Could you help review this PR?

xumia
xumia approved these changes Nov 21, 2023
View reviewed changes
Copy link
Collaborator

@xumia xumia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xumia xumia merged commit 6ea03f9 into sonic-net:master Nov 21, 2023
@maipbui maipbui deleted the restapi_priv branch November 21, 2023 06:55
@prsunny
Copy link
Contributor

prsunny commented Nov 22, 2023

@xumia , does this break older branches?

@xumia
Copy link
Collaborator

xumia commented Nov 23, 2023

@xumia , does this break older branches?

@prsunny , you mean old releases, such as 202305, 202205, right? The PR only goes to master, it should not break older branches, right? @maipbui , please help investigate it, if we need to merge to the older branch.

@maipbui
Copy link
Contributor Author

maipbui commented Nov 23, 2023

@xumia , does this break older branches?

We don’t need to merge to older branches so it should not break older branches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theasianpianist theasianpianist theasianpianist approved these changes

@xumia xumia xumia approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@prsunny prsunny Awaiting requested review from prsunny

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maipbui @prsunny @xumia @theasianpianist