You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The prior version talked about potential access to DBus, but this is a
bogus warning: default OS setups do not bind DBus to localhost or to an
abstract Unix socket. It is possible that the original author was
thinking of CVE-2020–15257, which affected containerd's abstract Unix
socket; they fixed it by switching to a named socket, just as DBus
always (?) has done.
Signed-off-by: Warren Young <[email protected]>
Copy file name to clipboardExpand all lines: docs/source/markdown/options/network.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ Valid _mode_ values are:
27
27
28
28
-**container:**_id_: Reuse another container's network stack.
29
29
30
-
-**host**: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
30
+
-**host**: Use the host's network namespace for the container instead of creating an isolated namespace. Warning: This gives the container full access to abstract Unix domain sockets and to TCP/UDP sockets bound to localhost. Since these mechanisms are often used to prevent access to sensitive system services, isolating them from access by external entities, use of this option may be counted a security hole.
31
31
32
32
-**ns:**_path_: Path to a network namespace to join.
0 commit comments