Skip to content

Fix privilege acquisition to work better with docker #4538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shinrich merged 1 commit into from
Nov 5, 2018
Merged

Fix privilege acquisition to work better with docker #4538

shinrich merged 1 commit into from
Nov 5, 2018

Conversation

@shinrich
Copy link
Member

@shinrich shinrich commented Nov 2, 2018

This problem was noted by people trying to make Traffic Server work in docker without complete privileges. The current code tries to grab all privileges at once. If any privilege fails, no privilege is granted. In the standard --privileged case only the CAP_NET_BIND_SERVICE is granted (of the privileges we care about), and for a basic reverse proxy that is the only capability needed, but the Traffic Server code would try to get all three of CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK and fail. So the Traffic Server process running in the docker container could not listen on low ports.

This code change attempts to get the capabilities one at a time so that capabilities that can be granted will be granted.

@shinrich shinrich added this to the 9.0.0 milestone Nov 2, 2018
@shinrich shinrich self-assigned this Nov 2, 2018
@shukitchan
Copy link
Contributor

shukitchan commented Nov 2, 2018

[approve ci]

shukitchan
shukitchan approved these changes Nov 5, 2018
View reviewed changes
Copy link
Contributor

@shukitchan shukitchan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has been working fine for us after these changes

@shinrich shinrich merged commit 3d7e280 into apache:master Nov 5, 2018
@bryancall bryancall modified the milestones: 9.0.0, 8.1.0 Mar 27, 2019
@bryancall
Copy link
Contributor

bryancall commented Mar 27, 2019

Cherry picked to 8.1.0

@jvgutierrez
Copy link
Member

jvgutierrez commented Aug 26, 2019

This is also needed when service hardening is performed via systemd, this commit was necessary to be able to bind on port 443 with the following systemd unit:

[Service]
ExecStartPre=/usr/local/sbin/update-ocsp-all
ExecStart=
ExecStart=/usr/bin/traffic_manager --run-root=/srv/trafficserver/tls --nosyslog
Restart=always
RestartSec=1
ExecReload=
ExecReload=/usr/bin/traffic_ctl --run-root=/srv/trafficserver/tls config reload
SuccessExitStatus=15

LimitNOFILE=500000
LimitMEMLOCK=90000

# Security options
ProtectKernelModules=yes
ProtectKernelTunables=yes
PrivateTmp=yes

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_SYS_PTRACE CAP_FOWNER CAP_NET_BIND_SERVICE
SystemCallFilter=~@keyring @clock @cpu-emulation @obsolete @module @raw-io

# The entire file system hierarchy is mounted read-only, except for the API
# file system subtrees /dev, /proc and /sys
ProtectSystem=strict

@zwoop zwoop modified the milestones: 8.1.0, 8.1.0-nogo Mar 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shukitchan shukitchan shukitchan approved these changes

Assignees

@shinrich shinrich

Labels

Core Security

Projects

None yet

Milestone

8.1.0-nogo

Development

Successfully merging this pull request may close these issues.

5 participants

@shinrich @shukitchan @bryancall @jvgutierrez @zwoop