Bug 1119278
Summary: | [RFE] /usr/bin/docker should be split into smaller binaries | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jiri Jaburek <jjaburek> |
Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED UPSTREAM | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.0 | CC: | dwalsh |
Target Milestone: | rc | Keywords: | Extras, FutureFeature |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-04-14 19:53:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jiri Jaburek
2014-07-14 12:16:09 UTC
This would have to be totally handled upstream. FYI: This seems to be one of Docker's "end goals", as described in the Security section of the upstream documentation: -------------------------------------------------------------------- The end goal for Docker is therefore to implement two additional security improvements: - map the root user of a container to a non-root user of the Docker host, to mitigate the effects of a container-to-host privilege escalation; - allow the Docker daemon to run without root privileges, and delegate operations requiring those privileges to well-audited sub-processes, each with its own (very limited) scope: virtual network setup, filesystem management, etc. -------------------------------------------------------------------- https://docs.docker.com/articles/security/ The first one is about User Namespace. The second one is potential, although I think this is very low on their priority list. This continues to be talked about upstream, but not sure there is any action on it. This needs to happen upstream. We are looking at potential other tools like CoreOS and systemd-dkr. |