Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

driver: set network.host entitlement by default for container drivers #2266

Merged
merged 1 commit into from
Feb 23, 2024
Merged

driver: set network.host entitlement by default for container drivers #2266

merged 1 commit into from
Feb 23, 2024

Conversation

crazy-max
Copy link
Member

fixes #2255

@crazy-max crazy-max marked this pull request as ready for review February 21, 2024 10:43
@AkihiroSuda
Copy link
Collaborator

This seems to be a potentially breaking change (from security perspective), and has to be documented?

AkihiroSuda
AkihiroSuda reviewed Feb 22, 2024
View reviewed changes
builder/builder.go Outdated

if !hasNetworkHostEntitlement {
// always set network.host entitlement as container network is
// isolated for docker-container and kubernetes drivers
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the comment could you explain the purpose of setting the entitlement by default?

@tonistiigi
Copy link
Member

This seems to be a potentially breaking change (from security perspective),

It is not. The default networking for build step containers if builder was in container was already host (meaning host inside the container, not host of machine) and will remain like this in v0.13. This was without setting any --network=host.

tonistiigi
tonistiigi reviewed Feb 22, 2024
View reviewed changes
builder/builder.go Outdated Show resolved Hide resolved
@crazy-max crazy-max force-pushed the container-driver-host-entl branch 3 times, most recently from 2d6ae5c to 4d88ca6 Compare February 23, 2024 10:56
@crazy-max
driver: set network.host entitlement by default for container drivers
e008b84 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max merged commit d891634 into docker:master Feb 23, 2024
63 checks passed
@crazy-max crazy-max deleted the container-driver-host-entl branch February 23, 2024 21:41
@crazy-max crazy-max mentioned this pull request Sep 11, 2024
Closed
3 tasks
@crazy-max crazy-max added this to the v0.13.0 milestone Sep 11, 2024
@crazy-max crazy-max mentioned this pull request Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
area/driver/docker-container area/driver/kubernetes impact/docs
Projects
None yet
Milestone
v0.13.0
Development

Successfully merging this pull request may close these issues.

[v0.13] allow network.host daemon entitlement by default in container drivers
3 participants
@crazy-max @AkihiroSuda @tonistiigi