-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for --security-opt, --syscall, --ulimit...to swarm mode #25209
Comments
The |
ping @justincormack perhaps you have thoughts on this. As I commented on #25303 (comment) - one challenge will be "where to put the custom profile file" in a Swarm setup (unless the definition is stored in the Swarm service definition) |
@thaJeztah Excuse me, but my lack of english doesn't allow me to properly understand what you are talking about... |
@mostolog I was thinking how a custom profile should be set (see https://docs.docker.com/engine/security/seccomp/#/passing-a-profile-for-a-container), because I think docker needs to have access to the file that contains that profile (on each node in the swarm) |
Please, let me know if I understood properly, despite my far-too-brief description. I guess when you specify --security-opt for a container, it inherits the default profile + add parameters for running. I also suppose the same happens with services. If services created under swarm are deployed on other swarm nodes, a "Dockerfile" shall be sent to nodes in order to run those, hence this template could be part of the dockerfile, isnt it? |
@mostolog no, not a Dockerfile, the (contents of) the |
@thaJeztah Clear as water. Thanks a lot. |
@thaJeztah seccomp is not an issue - the file is not used, the json contents of it are passed by the client to the daemon. However, this just seems to be a workaround for elasticsearch trying to set its own seccomp profile and failing, which seems really odd, will look into what the cause is, it looks like a bug in elasticsearch. |
The seccomp error in elasticsearch was fixed here elastic/elasticsearch@f77e8a5 - we return |
@justincormack ah, I was mistaken then, I assumed the file was needed on the daemon side, but thinking more that would only be for a default profile. 😅 |
This is also going to be especially important for Windows containers that need to run as service accounts. We need the |
|
Are --ulimit or --syscall already implemented in 1.13.0-RC5 for docker service or docker stack? I'm not able to get it working... |
@mostolog Nope. |
Are we expecting this issue to be fixed soon? It is really important! |
I've also have the problem. I'm not able to run systemd based containers without the security_opt option. |
FYI I've opened #30894 to address some of these and would love feedback. If that PR is agreed upon, I'm planning to do the same for "resources" which should address the other things (ulimits, isolation, pids-limit, etc). |
I'd love to set 1.) I asume --sysctl will be "ported" to service create, |
We're seeing lots of asks for use of domain identities using |
/cc @ehazlett @diogomonica @cyli FYI |
@ehazlett and I chatted, we think that this would be a good opportunity to introduce either a For example, this could operate in the following manner: We would have to switch on secret types, and then internally pass the contents of that secret to it. Thoughts @cyli @aaronlehmann @aluzzardi |
Sorry I don't know what a credential spec is. Is its content secret in the literal sense? What's the problem with |
@aluzzardi I don't think we want to propagate any of the security flags of |
But here we are as well - except they're encapsulated into a secret which is even worse to deprecate? I might be getting out of topic, but I think we have to fix I think we should really fix If we continue down this path:
I believe the number one advantage of built-in orchestration is it feels natural to go from dev (single machine) to prod (cluster) - same tools, same UI, same platform. However, if we go ahead with this, we're basically creating a fracture where it's going to feel like using different tools. Let's put ourselves in the shoes of a lambda user deploying SQL server. You'll probably start by doing a docker run to get things going, tweaking the config, and so on and so on. Then you move to a docker service create (or stack deploy), and you'll notice the CLI spitting out errors like (╯°□°)╯︵ ┻━┻ Just to re-iterate, I think the way forward is:
|
@imyoungyang IIUC that's a workaround on how to set the ulimits for the docker daemon. Changing those settings changes them for every container. Just because elasticsearch needs e.g. 65k file descriptors doesn't mean we should let everyone have such fun. I guess we need to wait for libentitlement to land? @n4ss any advance in the last month? |
@xificurC yes, we're having more entitlements implemented and images such as nginx or dind are starting to work with it :) |
@xificurC The Docker Engine defaults since 8db6109 have high defaults (for performance reasons). Therefore you don't need to change them (for the sake of increased requirements, say, of Elasticsearch) with recent versions of docker-ce/ee etc. However, you'd need to do the reverse, i.e. reduce the limits per container if you feel that a specific one may potentially abuse resources, so entitlements would be needed for this case. |
It would be great is some workaround could be provided at least low level or at least at |
Additionally, there are also some cases where other non-Swarm flags like --privileged are required, such as running docker-in-docker for CI |
Could you elaborate? This should work; for example: {
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 2048,
"Soft": 1024
}
}
} |
@thaJeztah Sorry, I must have copied wrong syntax, yours does work indeed, thank you. |
To anyone stumbling with the net.core.somaxconn in swarm, one can do a workaround:
grabbed the idea from stack overflow unfortunately options are limited |
I am deeply worried by the fact that the moby/libentitlement repo (which is supposed to fix this issue) has been at a standstill for 3 months now... |
I managed a very limited workaround that I used to run a Docker volume plugin container that needed to do a FUSE mount. I created a Docker image, ...
privileged-nginx:
image: kadimasolutions/docker-run-d:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command:
- "--privileged -p 80:80 nginx"
... The |
WIP Pull request for setting sysctl for swarm services: #37701 / moby/swarmkit#2729 |
@thaJeztah Sysctl support for services was added on 19.03 so can we actually close this one? |
Hm, I think I left this one open because |
Is this being worked on (specifically --security-opt), or is there any workaround? Our current project uses gmsa accounts and we would like to use swarm but it does not seem possible at this point. |
For gmsa, I recall #38632 was added |
For the remaining options;
Let me close this one |
|
Hi
Looks like docker service create doesn't have any kernel configuration options. eg: --security-opt, --sysctl, --ulimit... which are sometimes required.
This is stopping us on using swarm mode to deploy ELK 5 on our testing servers.
Could you add at least a --container-args option? eg:
--container-args="--security-opt seccomp=unconfined --ulimit memlock=-1 --ulimit nofile=102400"
If this can be done somehow, sorry for mistake. Please let me know how to do it.
Regards.
The text was updated successfully, but these errors were encountered: