Rancher Version: all
Docker Version: 1.12
OS and where are the hosts located? (cloud, bare metal, etc): Ubuntu 16.04, VM
Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB) Single Node Rancher + external DB
Environment Type: (Cattle/Kubernetes/Swarm/Mesos) Cattle
Steps to Reproduce: Just create any docker container via API or UI
Results: All container settings (volumes, privileged, dns settings, etc) are allowed
Expected: It would be nice to have a config option in Rancher to "fix" certain container settings, to make them read only. Or let's say only the owners of an environment are allowed to set these settings, members must use the default values.
Use Case: We want to go into production with Docker in the next months but our security concerns are basically two settings:
While they're OK in Test environments, on PROD we are looking for a way to completely disable them. They're not needed for the applications to be deployed. I have tried the docker no volume plugin (https://github.com/projectatomic/docker-novolume-plugin) which only works for volumes defined in Dockerfiles and I also took a look at the current apparmor profile for the Docker Engine, but it's not working and is (probably) still in development. As we're most likely going with Rancher for general administration over the Docker hosts and containers, it would be another possibility (besides Docker itself) to have Rancher make the sanitizing check whether or not the chosen settings for a container are allowed.
At first I thought Rancher simply launches the "docker" command so I tried it with a wrapper script:
# Docker Wrapper script by www.claudiokuenzler.com
echo "Your command was: $CMD" >> /var/log/dockerwrapper.log
if echo $CMD | grep -e "-v" > /dev/null; then echo "Parameter for volume mounting detected. This is not allowed."; exit 1;fi
if echo $CMD | grep -e "--volume" > /dev/null; then echo "Parameter for volume mounting detected. This is not allowed."; exit 1;fi
if echo $CMD | grep -e "--privileged" > /dev/null; then echo "Parameter for privileged containers detected. This is not allowed."; exit 1;fi
This works for a local user wanting to create a container from the cli. But, as I figured out while testing, Rancher talks directly to the Docker socket on /var/run/docker.sock. The wrapper script therefore doesn't work, but it can give you an idea what I mean with this feature request.