Feature Request: Configurable docker settings (disable or hard-code certain settings) #6962

Open
Napsty opened this Issue Dec 7, 2016 · 0 comments

Projects

None yet

1 participant

@Napsty
Napsty commented Dec 7, 2016

Rancher Version: all

Docker Version: 1.12

OS and where are the hosts located? (cloud, bare metal, etc): Ubuntu 16.04, VM

Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB) Single Node Rancher + external DB

Environment Type: (Cattle/Kubernetes/Swarm/Mesos) Cattle

Steps to Reproduce: Just create any docker container via API or UI

Results: All container settings (volumes, privileged, dns settings, etc) are allowed

Expected: It would be nice to have a config option in Rancher to "fix" certain container settings, to make them read only. Or let's say only the owners of an environment are allowed to set these settings, members must use the default values.

Use Case: We want to go into production with Docker in the next months but our security concerns are basically two settings:

  • Volumes

  • Privileged containers

While they're OK in Test environments, on PROD we are looking for a way to completely disable them. They're not needed for the applications to be deployed. I have tried the docker no volume plugin (https://github.com/projectatomic/docker-novolume-plugin) which only works for volumes defined in Dockerfiles and I also took a look at the current apparmor profile for the Docker Engine, but it's not working and is (probably) still in development. As we're most likely going with Rancher for general administration over the Docker hosts and containers, it would be another possibility (besides Docker itself) to have Rancher make the sanitizing check whether or not the chosen settings for a container are allowed.

At first I thought Rancher simply launches the "docker" command so I tried it with a wrapper script:

#!/bin/bash
# Docker Wrapper script by www.claudiokuenzler.com

ERROR=0
CMD="$@"

echo "Your command was: $CMD" >> /var/log/dockerwrapper.log

if echo $CMD | grep -e "-v" > /dev/null; then echo "Parameter for volume mounting detected. This is not allowed."; exit 1;fi
if echo $CMD | grep -e "--volume" > /dev/null; then echo "Parameter for volume mounting detected. This is not allowed."; exit 1;fi
if echo $CMD | grep -e "--privileged" > /dev/null; then echo "Parameter for privileged containers detected. This is not allowed."; exit 1;fi

/usr/bin/docker.orig $CMD

This works for a local user wanting to create a container from the cli. But, as I figured out while testing, Rancher talks directly to the Docker socket on /var/run/docker.sock. The wrapper script therefore doesn't work, but it can give you an idea what I mean with this feature request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment