[che-dev] Default seccomp profile for Docker containers and GDB debugger

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[che-dev] Default seccomp profile for Docker containers and GDB debugger

From: Oleksandr Garagatyi <ogaragat@xxxxxxxxxx>
Date: Wed, 1 Nov 2017 13:11:08 +0200
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

Hello! We have a PR that introduces an ability to customize security options of Docker containers which backs Che workspaces https://github.com/eclipse/che/pull/6856.

This PR was submitted to allow usage of GDB debugger in Che without starting containers in the privileged mode. Which is very insecure in case of shared environments.

As an option, we can turn on security profile "seccomp:unconfined" by default.

This is less secure approach than default Docker security profile but it would allow Che users use GDB debugger by default. And in an environment where this approach is not secure enough admin can set default profile in Che.env by declaring an empty value for the environment variable.

The reasons why I'm considering this less secure approach as default are:

1. this is an approach used in k8s and OpenShift, see Mario's comment

2. UX of Che would be better by default

So, please, provide your thoughts on this topic.

OLEKSANDR GARAGATYI

SENIOR SOFTWARE ENGINEER

Red Hat

Prev by Date: [che-dev] link to the last community meeting recording
Next by Date: [che-dev] Startup time reduced
Previous by thread: [che-dev] link to the last community meeting recording
Next by thread: [che-dev] Startup time reduced
Index(es):
- Date
- Thread

Breadcrumbs