Clarified the consequences of --network=host #26263
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, tangentsoft The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Oh looks like cirrus CI wasn't triggered correctly, can you please force push this again to trigger it. |
|
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore. |
| - **container:**_id_: Reuse another container's network stack. | ||
|
|
||
| - **host**: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. | ||
| - **host**: Use the host's network namespace for the container instead of creating an isolated namespace. Warning: This gives the container full access to abstract Unix domain sockets and to TCP/UDP sockets bound to localhost. Since these mechanisms are often used to prevent access to sensitive system services, isolating them from access by external entities, use of this option may be counted a security hole. |
There was a problem hiding this comment.
Maybe "may be considered a security vulnerability" instead of "may be counted as a security hole"?
There was a problem hiding this comment.
I have no objections to someone else "finishing" this PR. I pushed it more to instigate change than to get a particular expression of that change landed.
There was a problem hiding this comment.
fixed the comment and force pushed to your branch so we can get this merged.
|
Minor rewording suggestion, overall looks fine. |
The prior version talked about potential access to DBus, but this is a bogus warning: default OS setups do not bind DBus to localhost or to an abstract Unix socket. It is possible that the original author was thinking of CVE-2020–15257, which affected containerd's abstract Unix socket; they fixed it by switching to a named socket, just as DBus always (?) has done. Signed-off-by: Warren Young <[email protected]> Signed-off-by: Paul Holzinger <[email protected]>
Luap99
force-pushed
the
network-host-doc-warning
branch
from
56a070a to
0080368
Compare
|
LGTM |
|
/lgtm |
openshift-merge-bot
bot
merged commit 98e6d85
into
containers:main
stale-locking-app
bot
added
the
locked - please file new issue/PR
The prior version talked about potential access to DBus, but this is a bogus warning: default OS setups do not bind DBus to localhost or to an abstract Unix socket. It is possible that the original author was thinking of CVE-2020–15257, which affected containerd's abstract Unix socket; they fixed it by switching to a named socket, just as DBus always (?) has done.
Does this PR introduce a user-facing change?
Yes.