-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question]: What would be impacted if we turned off the need for privileged containers #491
Comments
I was not even aware that this container needed "privilege: true" in Kubernetes to be honest. So what happens when you set "privileged: false"? |
Ow yes, I see now they received a I am not sure what it means, so possibly there is a simple workaround for that. But the sole reason why you see the message about In any case: it fails while it tries to create a bridge. So the most easy solution would be to use DHCP mode, so that it does not try to create a bridge at all. That would be a quick fix to prevent running with |
That's awesome. I'll try DHCP mode. |
Also, I am not really sure there is a real need to worry about running the container privileged. If you are worried about my code doing something fishy, you can just read it as its open-source, and confirm that it does nothing bad. If you are worried that some software in Windows is malicious, its already running inside the QEMU/KVM sandbox, which is much better isolation than Docker can ever provide (even with privileged=false). So I cannot think of any real-world security risk of running it privileged. |
There is an example Kubernetes file: https://github.com/dockur/windows/blob/master/kubernetes.yml which works fine. |
I'm really trying to solve this so other users don't have to run the privildge: true Update... I was able to add DHCP. I had to look at the original QEMU image, then their entry.sh script, which led me to the netowrk.sh script. It's looking for the environment variable to be set.
I now have these resultant errors. We're getting closer, @kroese This is going to be even more awesomer when we solve this. |
I already explained to you why this privileged flag is a non-issue for this container: #491 (comment) And I am the creator of that "original QEMU image", so that DHCP mode will create a There might be a way to create this bridge without privileges, so if you want to spend time on a fix then thats great. But for me personally I dont think its important at all, so Im not going to look into it. |
Thank you. |
Is your question not already answered in the FAQ?
Is this a general question and not a technical issue?
Question
There are some users of this container that are trying to run in kubernetes. One of the requirements of this project is to run "privilege: true". However, I'd like to explore ways to remove this requirement for improved security and isolation. What approaches or adjustments can be made so that the container operates effectively within Kubernetes without needing or relying on host system access privileges? Any guidance would be greatly appreciated.
The text was updated successfully, but these errors were encountered: