[WIP] Security Config for services #1944
Conversation
The security config provides a way to add security settings that may or may not be host specific. This is stored as part of the ContainerSpec and is applied as necessary. Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
api/specs.proto
Outdated
|
|
||
| message SecurityConfig { | ||
| string userns = 30; | ||
| string credential_spec = 31 [(gogoproto.customname) = "CredentialSpec"]; |
There was a problem hiding this comment.
Basically because...
In all seriousness, I saw that registry_auth was high so I put this one to start at 30. Completely arbitrary and I defer to you for what it should be :)
There was a problem hiding this comment.
This is a separate message and the fields can start from 1.
There was a problem hiding this comment.
registry_auth was a bit of an exception ...
We added it knowing in advance that we'd deprecate it (in favor of using secrets to store registry auth) soooo we picked a high number we'd be unlikely to need in the future. Sorry you had to witness that :) We were trying to hide it under the rug.
api/specs.proto
Outdated
| string userns = 30; | ||
| string credential_spec = 31 [(gogoproto.customname) = "CredentialSpec"]; | ||
| } | ||
| SecurityConfig security_config = 40; |
There was a problem hiding this comment.
I think our general practice has been to avoid gaps between field numbers.
| @@ -46,93 +46,93 @@ var _ = math.Inf | |||
| const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package | |||
|
|
|||
| type BasicScalar struct { | |||
| Field1 float64 `protobuf:"fixed64,1,opt,name=Field1,json=field1,proto3" json:"Field1,omitempty"` | |||
There was a problem hiding this comment.
These changes look unrelated. Perhaps you are using a different version of protoc. CI is using https://github.com/google/protobuf/releases/download/v3.0.2/protoc-3.0.2-linux-x86_64.zip
There was a problem hiding this comment.
ah crap yes -- i'll remove that and grab the 3.0.2
api/specs.proto
Outdated
8000
| @@ -258,6 +258,12 @@ message ContainerSpec { | |||
| // task will exit and a new task will be rescheduled elsewhere. A container | |||
| // is considered unhealthy after `Retries` number of consecutive failures. | |||
| HealthConfig healthcheck = 16; | |||
|
|
|||
| message SecurityConfig { | |||
| string userns = 30; | |||
There was a problem hiding this comment.
userns and credential_spec seem somewhat specific to moby/moby#23389 - wondering if we should have different types of SecurityConfig, and this could be one type?
Are there other different security config types do you think go into the SecurityConfig? @diogomonica can security profiles go here, for instance? (not sure if there are windows specific capabilities that should translate to instead).
There was a problem hiding this comment.
Ya I should have brought that comment here. In the Engine PR I mention that I would like to also add --capabilities and a few others to this as well as anything else that other think makes sense.
|
Thanks for chipping in, @ehazlett :) |
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
|
|
||
| message SecurityConfig { | ||
| string userns = 1; | ||
| string credential_spec = 2 [(gogoproto.customname) = "CredentialSpec"]; |
There was a problem hiding this comment.
nit: customname is not required, I believe that's how it's going to get generated anyway.
We use custom names for stuff like DNSConfig (otherwise it would get generated as DnsConfig)
There was a problem hiding this comment.
ah right -- i was thinking i had credentialspec where it would make Credentialspec -- i'll update thx
There was a problem hiding this comment.
What will this field contain?
There was a problem hiding this comment.
It should contain a string that is something like file:///... or registry:// I believe (https://github.com/docker/docker/blob/c0a1d2e0d88ff3cae6802dfbd128c7739e8c2bcc/daemon/start_windows.go#L135). @johnstep can you confirm?
There was a problem hiding this comment.
Is this windows specific? How does this relate to security profiles?
There was a problem hiding this comment.
Yes it's windows specific. I believe it specifies a path to a "credential blob" (moby/moby#23389). This PR was supposed to be about security configuration and not specific to security profiles (although full disclosure I'm not sure what exactly security profiles mean as related to docker). Since they are authentication related and point to what seems like an authentication blob I thought it would be classified as "security".
Based upon the latest comment moby/moby#30894 (comment) this whole thing might be moot anyway.
There was a problem hiding this comment.
I think maybe that particular objection was to the docker service create CLI flags. (cc @diogomonica)
AFAIK the current plan is for low level capabilities to go into the spec and the API. Possibly in a versioned object (or typed objects, like "custom" for the low level capabilities), and for the something else (like the CLI) to translate from high level grants to groups low level capabilities. This is the current tentative plan for security profiles, because it's likely we won't get the first iteration of high level profiles right.
Even if the CLI is not the correct place to put the mapping, and the API needs to accept the higher level API instead, having a version of the profile that contains the low level capabilities in case someone wanted to specify a custom profile could be useful.
But to reiterate @stevvooe's question - I wasn't sure how the other security-related options would relate to security profiles in this object model (should profiles be a separate object in a security configuration for instance, etc.)
There was a problem hiding this comment.
Correct.
SecurityProfile being distinct from SecurityConfig makes sense in my head.
|
This is @cyli and @diogomonica's area |
|
I'm closing this in favor of "security profiles". I will with the security team to get that started. |
|
@diogomonica @ehazlett Seems like the security profiles are a separate concern/object from these particular options (user namespace , credential specs), which seem like they can move forward if we are happy with this config object? I think we just needed another version/typed object representing security profiles, the first version of which contains a full list of capabilities. Another question I had was whether we also wanted to support app armor and seccomp profiles too? If so, those should probably be specified here in the config object as well. |
|
|
@diogomonica I see... then maybe something like (I may be way overusing |
|
@cyli yeah, we might not have a one-off. Same container might run in different arch's w/ different profiles. In general that sort of what I'm thinking about. The current work from @justincormack would get folded into /cc @dsampath |
|
@ehazlett Would you like to continue that work here, or alternately if you prefer I can submit a new PR with just a proposed object model for security profiles? |
|
You have a better understanding than I do. I would appreciate if you
submitted. Thanks
…On Feb 15, 2017 6:32 PM, "Ying Li" ***@***.***> wrote:
@ehazlett <https://github.com/ehazlett> Would you like to continue that
work here, or alternately if you prefer I can submit a new PR with just the
object model for security profiles?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1944 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAP6InjRz6Yga-ZV78Ru7Vy0HNO_BZ-4ks5rc4sdgaJpZM4L87CR>
.
|
|
@cyli I'm all for unblocking this particular feature (cred specs), but I'm slightly concerned we don't know exactly how this fits in the larger picture. Anyway, maybe the discussion on a new PR brings some more clarity on whether we're missing something, or this is a good path. |
The security config provides a way to add security settings
that may or may not be host specific. This is stored as part
of the ContainerSpec and is applied as necessary.
This is needed for things like
usernsandcredentialspec.For more details see moby/moby#30894