Janitor needs neither privileged mode nor network access. (#100)

* Janitor doen't need privileged mode nor networking

- remove "privileged: true" property
- add "net: none" property

The cleanup tasks runs entirely without networking on /var/run/docker.sock. The calling process can access the docker so it does not need to have privileged mode.

Signed-off-by: Mathias Kaufmann <me@stei.gr>

* Added boolean question for privileged mode.

Signed-off-by: Mathias Kaufmann <me@stei.gr>

templates/janitor/1/docker-compose.yml

@@ -8,7 +8,7 @@ cleanup:
   labels:
      io.rancher.scheduler.global: "true"
      io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}"
-  privileged: true
+  net: none
   tty: false
   stdin_open: false
   volumes:

templates/janitor/2/docker-compose.yml

@@ -10,7 +10,8 @@ cleanup:
   labels:
      io.rancher.scheduler.global: "true"
      io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}"
-  privileged: true
+  net: none
+  privileged: ${PRIVILEGED_MODE}
   tty: false
   stdin_open: false
   volumes:

templates/janitor/2/rancher-compose.yml

@@ -28,4 +28,9 @@
       default: "*:*"
       required: false
       type: "string"
-
+    - variable: "PRIVILEGED_MODE"
+      label: "Run janitor in privileged mode"
+      description: "In hardened environments containers must be privileged to access the bind-mounted unix:///var/run/docker.sock. This is not the default case."
+      default: false
+      required: true
+      type: "boolean"