Skip to content

driver: set network.host entitlement by default for container drivers #2266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crazy-max merged 1 commit into from
Feb 23, 2024
Merged

driver: set network.host entitlement by default for container drivers #2266

crazy-max merged 1 commit into from
Feb 23, 2024

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Feb 21, 2024

fixes #2255

@crazy-max crazy-max requested a review from tonistiigi February 21, 2024 10:41
@crazy-max crazy-max marked this pull request as ready for review February 21, 2024 10:43
@AkihiroSuda
Copy link
Collaborator

AkihiroSuda commented Feb 22, 2024

This seems to be a potentially breaking change (from security perspective), and has to be documented?

AkihiroSuda
AkihiroSuda reviewed Feb 22, 2024
View reviewed changes
builder/builder.go Outdated

if !hasNetworkHostEntitlement {
// always set network.host entitlement as container network is
// isolated for docker-container and kubernetes drivers
Copy link
Collaborator

@AkihiroSuda AkihiroSuda Feb 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the comment could you explain the purpose of setting the entitlement by default?

@tonistiigi
Copy link
Member

tonistiigi commented Feb 22, 2024

This seems to be a potentially breaking change (from security perspective),

It is not. The default networking for build step containers if builder was in container was already host (meaning host inside the container, not host of machine) and will remain like this in v0.13. This was without setting any --network=host.

tonistiigi
tonistiigi reviewed Feb 22, 2024
View reviewed changes
@crazy-max crazy-max force-pushed the container-driver-host-entl branch from ae3436e to 48ab88d Compare February 23, 2024 10:14
@crazy-max crazy-max requested a review from tonistiigi February 23, 2024 10:15
@crazy-max crazy-max force-pushed the container-driver-host-entl branch 3 times, most recently from 2d6ae5c to 4d88ca6 Compare February 23, 2024 10:56
@crazy-max
driver: set network.host entitlement by default for container drivers
e008b84 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the container-driver-host-entl branch from 4d88ca6 to e008b84 Compare February 23, 2024 21:23
@crazy-max crazy-max merged commit d891634 into docker:master Feb 23, 2024
@crazy-max crazy-max deleted the container-driver-host-entl branch February 23, 2024 21:41
@crazy-max crazy-max mentioned this pull request Sep 11, 2024
Closed
3 tasks
@crazy-max crazy-max added this to the v0.13.0 milestone Sep 11, 2024
@crazy-max crazy-max mentioned this pull request Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

No one assigned

Labels

area/driver/docker-container area/driver/kubernetes impact/docs

Projects

None yet

Milestone

v0.13.0

Development

Successfully merging this pull request may close these issues.

[v0.13] allow network.host daemon entitlement by default in container drivers

3 participants

@crazy-max @AkihiroSuda @tonistiigi