Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker images: Remove capability requirements #11081

Merged
merged 2 commits into from
Dec 13, 2021

Conversation

nvaatstra
Copy link
Contributor

Short description

The current Docker images are built with a dependency on the NET_BIND_SERVICE capability which used to be required for binding to a privileged port. This capability included in the image causes problems when trying to deploy the image on a Kubernetes platform with restrictive security policies in place (which is becoming the norm).

This pull request removes those dependencies and adds instructions to:

  • Avoid these privileged ports (by binding to non-privileged ports)
  • Add the NET_BIND_SERVICE capability to containers

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@nvaatstra nvaatstra requested a review from Habbie December 8, 2021 15:41
@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

@omoerbeek @rgacogne a backport to 4.6 and 1.7 would be very convenient. Any objections?

@rgacogne
Copy link
Member

rgacogne commented Dec 9, 2021

I'm not sure I understand what happens by default after that PR is merged. The default ports are still privileged but the services no longer have the capability to bind to these ports, right? In that case can the services start without changing the configuration? Is running the container in privileged mode enough, even though we run under a non-privileged user?

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

Is running the container in privileged mode enough, even though we run under a non-privileged user?

Nico has just extended the README to note that since Docker 20.10.0, binding <1024 simply is allowed by default. Specifically, 20.10.0 and up set net.ipv4.ip_unprivileged_port_start = 0 inside containers.

@rgacogne
Copy link
Member

rgacogne commented Dec 9, 2021

Ah, I missed that, thanks. That's nice. And I guess before that change we can't start even if the container runs in privileged mode?

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

(users with other runtimes may need to do work, as the readme says, so perhaps upgrade notes are in order, I can do that)

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

Ah, I missed that, thanks. That's nice. And I guess before that change we can't start even if the container runs in privileged mode?

Before that, privileged mode works, or the setcap that this PR removes.

@rgacogne
Copy link
Member

rgacogne commented Dec 9, 2021

So when running in privileged mode and with a non-root user, we still keep all capabilities?

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

So when running in privileged mode and with a non-root user, we still keep all capabilities?

Uh, I think so yes.

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

So when running in privileged mode and with a non-root user, we still keep all capabilities?

After more investigation: yes, Docker's USER is not great at dropping capabilities, but dnsdist is, so we're safe.

@rgacogne
Copy link
Member

rgacogne commented Dec 9, 2021

Note that the recursor also calls dropCapabilities but it looks like the authoritative server doesn't.

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

Proposed text for upgrade notes for all 3 products:

Privileged port binding in Docker
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In our Docker image, our binaries no longer get the ``net_bind_service`` capability, as this is unnecessary in many deployments.
For more information, see the section "Privileged ports" in [Docker-README](https://github.com/PowerDNS/pdns/blob/master/Docker-README.md#privileged-ports).

@jsoref
Copy link
Contributor

jsoref commented Dec 9, 2021

Proposed text for upgrade notes for all 3 products:

Privileged port binding in Docker
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In our Docker image, our binaries no longer get the ``net_bind_service`` capability, as this is unnecessary in many deployments.

I'm not sure about the word get, do you mean ask for, are assigned, ...?

For more information, see the section "Privileged ports" in Docker-README.

@Habbie
Copy link
Member

Habbie commented Dec 9, 2021

I'm not sure about the word get, do you mean ask for, are assigned, ...?

receive makes sense to me.

@rgacogne
Copy link
Member

Or perhaps are granted?

@jsoref
Copy link
Contributor

jsoref commented Dec 10, 2021

As are no longer granted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants