Remove privileged flag for database and snmp docker #13783

andriydnvd · 2023-02-11T12:58:36Z

Signed-off-by: Andriy Dobush [email protected]

Why I did it

NOT FOR MERGE !!!!
Reduce docker privilege
This is part of HLD sonic-net/SONiC#1364

How I did it

Remove flag --privileged

How to verify it

docker exec -it database bash
root@0048b82b460b:/# ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted

Which release branch to backport (provide reason below if selected)

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

lguohan · 2023-02-13T18:46:25Z

please identify reviewer for this pr.

andriydnvd · 2023-02-16T09:39:27Z

please identify reviewer for this pr.

@qiluo-msft

andriydnvd · 2023-02-16T09:41:21Z

/azpw run Azure.sonic-buildimage

mssonicbld · 2023-02-16T09:41:23Z

/AzurePipelines run Azure.sonic-buildimage

azure-pipelines · 2023-02-16T09:41:34Z

Azure Pipelines successfully started running 1 pipeline(s).

qiluo-msft · 2023-02-28T19:05:42Z

/azp run Azure.sonic-buildimage

qiluo-msft · 2023-02-28T19:10:59Z

I retriggered another build: https://dev.azure.com/mssonic/build/_build/results?buildId=226231&view=results

andriydnvd · 2023-03-03T23:20:14Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2023-03-03T23:20:19Z

Commenter does not have sufficient privileges for PR 13783 in repo sonic-net/sonic-buildimage

maipbui · 2023-03-03T23:25:25Z

@andriydnvd I think you should run "azpw run Azure.sonic-buildimage" instead, only pr author can trigger the pipeline using "azpw" command.

andriydnvd · 2023-03-06T13:06:59Z

I retriggered another build: https://dev.azure.com/mssonic/build/_build/results?buildId=226231&view=results
Current bgp fails looks like infrastructure issue. One of neighbors is down
https://www.testbed-tools.org/scheduler/testplan/63fe6654e64d81d25355e867
Retrigerring

andriydnvd · 2023-03-06T13:17:19Z

/azpw run Azure.sonic-buildimage

mssonicbld · 2023-03-06T13:17:21Z

/AzurePipelines run Azure.sonic-buildimage

azure-pipelines · 2023-03-06T13:17:34Z

Azure Pipelines successfully started running 1 pipeline(s).

andriydnvd · 2023-03-09T08:24:56Z

@qiluo-msft Passed after rebase onto upstream master

qiluo-msft · 2023-04-18T22:27:29Z

I see some changes not related to database docker container. Could you merge latest master or rebase to latest master?

Signed-off-by: Andriy Dobush <[email protected]>

andriydnvd · 2023-05-22T07:57:46Z

I see some changes not related to database docker container. Could you merge latest master or rebase to latest master?

Hi, @qiluo-msft update branch. Pls check

maipbui

LGTM. Please change PR title to database and snmp

andriydnvd · 2023-08-03T13:31:40Z

LGTM. Please change PR title to database and snmp

Done, thanks

Yarden-Z · 2023-08-15T18:17:59Z

Ready for merger

…t#13783)" This reverts commit cf72683.

…#16210) This reverts commit cf72683.

#### Why I did it Reduce docker privilege This is part of HLD sonic-net/SONiC#1364 #### How I did it Remove flag --privileged #### How to verify it docker exec -it database bash root@0048b82b460b:/# ip link add dummy0 type dummy RTNETLINK answers: Operation not permitted

…t#13783)" (sonic-net#16210) This reverts commit cf72683.

qiluo-msft requested a review from maipbui February 28, 2023 19:03

andriydnvd added 2 commits May 15, 2023 16:15

Remove privileged flag for database docker

4616dc0

Signed-off-by: Andriy Dobush <[email protected]>

Remove privileged flag for snmp docker

448fd40

Signed-off-by: Andriy Dobush <[email protected]>

andriydnvd force-pushed the docker_hardening_priv branch from c498438 to 448fd40 Compare May 15, 2023 13:20

maipbui mentioned this pull request Jul 5, 2023

SONiC Container Hardening sonic-net/SONiC#1364

Merged

maipbui approved these changes Jul 11, 2023

View reviewed changes

andriydnvd changed the title ~~Remove privileged flag for database docker~~ Remove privileged flag for database and snmp docker Aug 3, 2023

qiluo-msft approved these changes Aug 3, 2023

View reviewed changes

maipbui mentioned this pull request Aug 11, 2023

[database] enable userns-remap and make redis process runs as non-root user #15972

Closed

11 tasks

qiluo-msft marked this pull request as ready for review August 15, 2023 18:18

qiluo-msft requested a review from xumia as a code owner August 15, 2023 18:18

qiluo-msft requested a review from lguohan as a code owner August 15, 2023 18:18

qiluo-msft merged commit cf72683 into sonic-net:master Aug 15, 2023

yejianquan mentioned this pull request Aug 19, 2023

Revert "Remove privileged flag for database and snmp docker" #16210

Merged

yejianquan added a commit to yejianquan/sonic-buildimage that referenced this pull request Aug 19, 2023

Revert "Remove privileged flag for database and snmp docker (sonic-ne…

fd44486

…t#13783)" This reverts commit cf72683.

liat-grozovik pushed a commit that referenced this pull request Aug 19, 2023

Revert "Remove privileged flag for database and snmp docker (#13783)" (…

5204bfb

…#16210) This reverts commit cf72683.

sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023

Revert "Remove privileged flag for database and snmp docker (sonic-ne…

869b4e0

…t#13783)" (sonic-net#16210) This reverts commit cf72683.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove privileged flag for database and snmp docker #13783

Remove privileged flag for database and snmp docker #13783

andriydnvd commented Feb 11, 2023 •

edited by qiluo-msft

Loading

lguohan commented Feb 13, 2023

andriydnvd commented Feb 16, 2023

andriydnvd commented Feb 16, 2023

mssonicbld commented Feb 16, 2023

azure-pipelines bot commented Feb 16, 2023

qiluo-msft commented Feb 28, 2023

qiluo-msft commented Feb 28, 2023

andriydnvd commented Mar 3, 2023

azure-pipelines bot commented Mar 3, 2023

maipbui commented Mar 3, 2023

andriydnvd commented Mar 6, 2023

andriydnvd commented Mar 6, 2023

mssonicbld commented Mar 6, 2023

azure-pipelines bot commented Mar 6, 2023

andriydnvd commented Mar 9, 2023

qiluo-msft commented Apr 18, 2023

andriydnvd commented May 22, 2023

maipbui left a comment

andriydnvd commented Aug 3, 2023

Yarden-Z commented Aug 15, 2023

Remove privileged flag for database and snmp docker #13783

Remove privileged flag for database and snmp docker #13783

Conversation

andriydnvd commented Feb 11, 2023 • edited by qiluo-msft Loading

Why I did it

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

lguohan commented Feb 13, 2023

andriydnvd commented Feb 16, 2023

andriydnvd commented Feb 16, 2023

mssonicbld commented Feb 16, 2023

azure-pipelines bot commented Feb 16, 2023

qiluo-msft commented Feb 28, 2023

qiluo-msft commented Feb 28, 2023

andriydnvd commented Mar 3, 2023

azure-pipelines bot commented Mar 3, 2023

maipbui commented Mar 3, 2023

andriydnvd commented Mar 6, 2023

andriydnvd commented Mar 6, 2023

mssonicbld commented Mar 6, 2023

azure-pipelines bot commented Mar 6, 2023

andriydnvd commented Mar 9, 2023

qiluo-msft commented Apr 18, 2023

andriydnvd commented May 22, 2023

maipbui left a comment

Choose a reason for hiding this comment

andriydnvd commented Aug 3, 2023

Yarden-Z commented Aug 15, 2023

andriydnvd commented Feb 11, 2023 •

edited by qiluo-msft

Loading