Comments (3)
bcressey
commented on June 17, 2024
privileged: true currently has the effect of silently overriding any custom SELinux label. The workaround is to not set it, but to enable all capabilities, disable seccomp, etc, to gain most of the effects of privileged: true without actually setting it.
from bottlerocket.
slashben
commented on June 17, 2024
Thanks @bcressey , it works indeed when removing privilged: true.
We have tried both control_t and super_t, does it make sense that only the later works?
from bottlerocket.
bcressey
commented on June 17, 2024
@slashben these actions are currently restricted to super_t, which is meant to be a deliberate opt-in to system calls that can break host functionality in surprising ways.
In this case it's that a process using restrictive fanotify access logic on host mounts can block the API from working, block the flow of container metrics, prevent updates from being applied, etc.
SELinux relabeling is also restricted to super_t for essentially the same reason.
"Can it prevent updates, brick the node on update, or cause data loss after an update?" is the key question. Of course most uses of fanotify (and most uses of SELinux relabeling) are not going to have this effect, but some can.
The opt-in is partly to acknowledge the risk and partly so we know when troubleshooting something that the usual rules may not apply.
from bottlerocket.
Related Issues (20)
- Missing cAdvisor metrics HOT 2
- Setting to control bottlerocket host cgroup cpu allocation HOT 2
- v1.19.0 update eni-max-pods mapping file
- v1.19.0 Host container updates HOT 1
- v1.19.0 Go dependency updates
- Sandbox container image being GC'd in 1.29 HOT 8
- Specify autoloaded kernel module options via settings. HOT 4
- Update ECS agent to v1.81.0 and Docker to v25
- update to glibc 2.39
- v1.19.1 💘 Tracking Issue HOT 2
- Issue with Bottlerocket image HOT 1
- Missing runtime metrics from cAdvisor HOT 3
- Failed to start ContainerManager err="invalid kernel flag: vm/overcommit_memory, expected value: 1, actual value: 0" HOT 2
- OOTB: Remove conditional compilation from updog
- OOTB: Remove conditional compilation from logdog HOT 1
- Support for system-reserved pid setting HOT 2
- "privileged: true" in pod spec clobbers SELinux options HOT 1
- No metal-k8s-1.29 variant for Bottlerocket
- v1.19.2 💘 Tracking Issue HOT 9
- Use a bottle rocket AMI in an AWS EC2 Image Pipeline HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bottlerocket.