feat(profile): update docker profiles.
This commit is contained in:
Alexandre Pujol
parent
c80c82fda2
commit
86759f2ef1
2 changed files with 14 additions and 3 deletions
|
|
@ -56,6 +56,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/@{pids}/oom_score_adj rw,
|
@{PROC}/@{pids}/oom_score_adj rw,
|
||||||
@{PROC}/sys/net/core/somaxconn r,
|
@{PROC}/sys/net/core/somaxconn r,
|
||||||
|
|
||||||
|
@{att}/dev/pts/ptmx rw,
|
||||||
|
|
||||||
include if exists <local/containerd-shim-runc-v2>
|
include if exists <local/containerd-shim-runc-v2>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
capability kill,
|
capability kill,
|
||||||
capability mknod,
|
capability mknod,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
capability net_bind_service,
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability setfcap,
|
capability setfcap,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
@ -77,13 +78,15 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
# Docker needs full access of the containers it manages.
|
# Docker needs full access of the containers it manages.
|
||||||
# TODO: should be in a sub profile started with pivot_root, not supported yet.
|
# TODO: should be in a sub profile started with pivot_root, not supported yet.
|
||||||
/{,**} rwl,
|
/{,**} rwl, #aa:only apt
|
||||||
|
|
||||||
|
@{att}/@{lib}/containerd/** rw,
|
||||||
|
@{att}/var/lib/docker/{,**} rwk,
|
||||||
|
|
||||||
/etc/docker/{,**} r,
|
/etc/docker/{,**} r,
|
||||||
|
|
||||||
@{att}/ r,
|
@{att}/ r,
|
||||||
|
|
||||||
owner @{att}/@{lib}/containerd/** rw,
|
|
||||||
owner @{lib}/docker/overlay2/*/work/{,**} rw,
|
owner @{lib}/docker/overlay2/*/work/{,**} rw,
|
||||||
owner /var/lib/containerd/** rw,
|
owner /var/lib/containerd/** rw,
|
||||||
owner /var/lib/docker/{,**} rwk,
|
owner /var/lib/docker/{,**} rwk,
|
||||||
|
|
@ -92,9 +95,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
/tmp/build/ w,
|
/tmp/build/ w,
|
||||||
/tmp/containerd-mount@{int}/{,**} rw,
|
/tmp/containerd-mount@{int}/{,**} rw,
|
||||||
|
|
||||||
|
@{run}/systemd/notify rw,
|
||||||
|
|
||||||
|
@{run}/containerd/containerd.sock rw,
|
||||||
|
owner @{run}/docker.pid rw,
|
||||||
owner @{run}/docker/ rw,
|
owner @{run}/docker/ rw,
|
||||||
owner @{run}/docker/** rwlk,
|
owner @{run}/docker/** rwlk,
|
||||||
owner @{run}/docker.pid rw,
|
|
||||||
|
|
||||||
@{sys}/devices/virtual/net/** r,
|
@{sys}/devices/virtual/net/** r,
|
||||||
@{sys}/fs/cgroup/cgroup.controllers r,
|
@{sys}/fs/cgroup/cgroup.controllers r,
|
||||||
|
|
@ -106,6 +112,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/1/cgroup r,
|
@{PROC}/1/cgroup r,
|
||||||
@{PROC}/1/environ r,
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
@{PROC}/pressure/cpu r,
|
||||||
|
@{PROC}/pressure/io r,
|
||||||
|
@{PROC}/pressure/memory r,
|
||||||
@{PROC}/sys/kernel/keys/root_maxkeys r,
|
@{PROC}/sys/kernel/keys/root_maxkeys r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/sys/kernel/threads-max r,
|
@{PROC}/sys/kernel/threads-max r,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue