Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM #264

Merged
merged 2 commits into from
Aug 10, 2022
Merged

CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM #264

merged 2 commits into from
Aug 10, 2022

Conversation

zolug
Copy link
Collaborator

@zolug zolug commented Aug 8, 2022
edited
Loading

Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)

Description

Issue link

#263

Checklist

  • Purpose
    • [] Bug fix
    • New functionality
    • Documentation
    • Refactoring
    • CI
  • Test
    • Unit test
    • E2E Test
    • Tested manually
  • Introduce a breaking change
    • Yes (description required)
    • No
  • Introduce changes in the Operator
    • Yes (description required)
      Will not work with NSM versions before v1.5.0 (if run as non-root)
    • No

zolug added 2 commits August 9, 2022 13:47
@zolug
CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM
6292b15 
Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)

Note: New images will NOT work on older NSM versions
@zolug
docs; update list of privileges according to NSM v1.5
d675b15 
Note: images must be in sync (binaries with excess file capabilities
will NOT start if said capabilities are not provided to the container)
@zolug zolug requested a review from LionelJouin August 9, 2022 12:54
@zolug zolug merged commit 8f539bd into master Aug 10, 2022
@zolug zolug deleted the non-root-user branch March 4, 2024 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LionelJouin LionelJouin LionelJouin approved these changes

Assignees
No one assigned
Labels
area/security kind/enhancement New feature or request priority/low
Projects
Meridio
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zolug @LionelJouin