From 8f8fee8e59e0e25dd799cb2fa9609978b7b96d48 Mon Sep 17 00:00:00 2001 From: steigr Date: Mon, 16 May 2016 06:02:53 +0200 Subject: [PATCH] Janitor needs neither privileged mode nor network access. (#100) * Janitor doen't need privileged mode nor networking - remove "privileged: true" property - add "net: none" property The cleanup tasks runs entirely without networking on /var/run/docker.sock. The calling process can access the docker so it does not need to have privileged mode. Signed-off-by: Mathias Kaufmann * Added boolean question for privileged mode. Signed-off-by: Mathias Kaufmann --- templates/janitor/1/docker-compose.yml | 2 +- templates/janitor/2/docker-compose.yml | 3 ++- templates/janitor/2/rancher-compose.yml | 7 ++++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/templates/janitor/1/docker-compose.yml b/templates/janitor/1/docker-compose.yml index 628de7b..f1efed9 100644 --- a/templates/janitor/1/docker-compose.yml +++ b/templates/janitor/1/docker-compose.yml @@ -8,7 +8,7 @@ cleanup: labels: io.rancher.scheduler.global: "true" io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}" - privileged: true + net: none tty: false stdin_open: false volumes: diff --git a/templates/janitor/2/docker-compose.yml b/templates/janitor/2/docker-compose.yml index c74c927..ecb8268 100644 --- a/templates/janitor/2/docker-compose.yml +++ b/templates/janitor/2/docker-compose.yml @@ -10,7 +10,8 @@ cleanup: labels: io.rancher.scheduler.global: "true" io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}" - privileged: true + net: none + privileged: ${PRIVILEGED_MODE} tty: false stdin_open: false volumes: diff --git a/templates/janitor/2/rancher-compose.yml b/templates/janitor/2/rancher-compose.yml index 81b347d..ad7a06e 100644 --- a/templates/janitor/2/rancher-compose.yml +++ b/templates/janitor/2/rancher-compose.yml @@ -28,4 +28,9 @@ default: "*:*" required: false type: "string" - + - variable: "PRIVILEGED_MODE" + label: "Run janitor in privileged mode" + description: "In hardened environments containers must be privileged to access the bind-mounted unix:///var/run/docker.sock. This is not the default case." + default: false + required: true + type: "boolean"