Too much privilege

Question

Too much privilege

antoinetran opened this issue 7 years ago · 4 comments

All containers in docker-compose.yml have privileged: true but they shouldn't because this is a bad practice. In fact, only MooseFs client needs some kind of privilege:

mfsclient:
    image: moosefs/client  #use GitHub version
    #build: ./moosefs-client  #use local version
    cap_add:
      # Needed for mount.
      - SYS_ADMIN

We have for months such a configuration and it works well (in CentOs base image).

Answer 1 · 2018-02-06T06:17:18.000Z

You are right, thanks!
Was able to run it using:

    cap_add:
      # Needed for mount.
      - SYS_ADMIN
    devices:
      # Needed for mount.
      - /dev/fuse:/dev/fuse
    security_opt:
      # Needed for mount.
      - apparmor:unconfined

Answer 2 · 2018-02-06T09:14:50.000Z

Oh, you're right, I forgot to mention /dev/fuse. We didn't need apparmor:unconfined, but I guess this is because of selinux we disabled.
Also, FYI, we had to configure in docker host the mount type as shared instead of private, for our container to be seen in host and containers.

Answer 3 · 2018-02-06T10:22:31.000Z

Also, I saw the fixes in the commits: mfschunks and mfsmaster don't need theses SYS_ADMIN or /dev/fuse, I am sure of that. I am not sure for apparmor.

Answer 4 · 2018-02-06T10:30:50.000Z

Yes, agree - chunkservers and master does not require extra privileges.
Aparmor is required for Ubuntu - it refuses to mount without it.
Here: https://github.com/moosefs/moosefs-docker-cluster/blob/master/docker-compose-chunkserver-client.yml?
There should be chunkservers with clients, but they are without mounts (see commented lines with build)
Will fix it, thanks a lot!