Skip to content

[docker-otel] limit privileged flag for otel container#25930

Merged
wangxin merged 1 commit intosonic-net:masterfrom
Janetxxx:dev/jc/limit-otel-priviledge
Mar 11, 2026
Merged

[docker-otel] limit privileged flag for otel container#25930
wangxin merged 1 commit intosonic-net:masterfrom
Janetxxx:dev/jc/limit-otel-priviledge

Conversation

@Janetxxx
Copy link
Contributor

@Janetxxx Janetxxx commented Mar 6, 2026

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
  • Microsoft ADO (number only):

How I did it

How to verify it

Run otel sonic-mgmt tests

admin@vlab-01:~$ docker inspect otel | grep Privi
            "Privileged": false,

Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.

Which release branch to backport (provide reason below if selected)

  • 202305
  • 202311
  • 202405
  • 202411
  • 202505
  • 202511

Tested branch (Please provide the tested image version)

202412

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

Copilot AI review requested due to automatic review settings March 6, 2026 02:28
@mssonicbld
Copy link
Collaborator

mssonicbld commented Mar 6, 2026

/azp run Azure.sonic-buildimage

@Janetxxx Janetxxx requested review from Pterosaur and removed request for lguohan, qiluo-msft and xumia March 6, 2026 02:28
@azure-pipelines
Copy link

azure-pipelines bot commented Mar 6, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@Janetxxx Janetxxx requested a review from r12f March 6, 2026 02:28
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the otel Docker container runtime configuration in sonic-buildimage by removing the --privileged flag, aligning with the “Container Hardening” HLD work.

Changes:

  • Removed --privileged from the otel container run options.
  • Retained existing host mounts and namespace options (--pid=host, --userns=host) while dropping elevated privileges.

@Janetxxx Janetxxx mentioned this pull request Mar 6, 2026
Merged
12 tasks
@wangxin wangxin merged commit 141ba0a into sonic-net:master Mar 11, 2026
28 of 30 checks passed
@mssonicbld mssonicbld mentioned this pull request Mar 12, 2026
Merged
8 tasks
@mssonicbld
Copy link
Collaborator

mssonicbld commented Mar 12, 2026

Cherry-pick PR to msft-202412: Azure/sonic-buildimage-msft#2053

@mssonicbld mssonicbld mentioned this pull request Mar 13, 2026
Merged
8 tasks
@mssonicbld
Copy link
Collaborator

mssonicbld commented Mar 13, 2026

Cherry-pick PR to 202511: #26159

@mssonicbld
Copy link
Collaborator

mssonicbld commented Mar 16, 2026

@Janetxxx cherry pick PR didn't pass PR checker. Please check!!!
Azure/sonic-buildimage-msft#2053

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wangxin wangxin wangxin approved these changes

@Pterosaur Pterosaur Pterosaur approved these changes

@r12f r12f Awaiting requested review from r12f

Assignees

No one assigned

Labels

Approved for msft-202412 Branch Approved for 202511 Branch Created PR to msft-202412 Branch Included in msft-202412 Branch Included in 202511 Branch Request for msft-202412 Branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Janetxxx @mssonicbld @wangxin @Pterosaur @r12f @vmittal-msft