Skip to content

Commit 9b67411

Browse files
authored
Merge pull request #182 from newrelic/jonathan/add-seccomp-support
Support setting a seccomp profile in containers
2 parents 05b2fab + 8a03ae4 commit 9b67411

File tree

3 files changed

+34
-2
lines changed

3 files changed

+34
-2
lines changed

README.md

+19
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,25 @@ drop_capability 'SOME_CAPABILITY'
289289
For more information on which kernel capabilities may be specified, see the
290290
[Docker docs](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration).
291291

292+
### Setting the security options
293+
294+
Some Docker platforms support container security overlays called `seccomp`.
295+
During container creation, you may specify security options to control the
296+
seccomp permissions.
297+
298+
To set a seccomp path:
299+
```ruby
300+
add_security_opt 'seccomp=/path/to/seccomp/profile.json'
301+
```
302+
303+
Or, to unblock all syscalls in a container:
304+
305+
```ruby
306+
add_security_opt 'seccomp=unconfined'
307+
```
308+
309+
For more information on this argument, see the [Docker docs](https://docs.docker.com/engine/security/seccomp/).
310+
292311
### Interpolation
293312

294313
Currently there a couple of special strings for interpolation that can be added

lib/centurion/service.rb

+10-1
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ module Centurion
55
class Service
66
extend ::Capistrano::DSL
77

8-
attr_accessor :command, :dns, :extra_hosts, :image, :name, :volumes, :port_bindings, :network_mode, :cap_adds, :cap_drops, :ipc_mode
8+
attr_accessor :command, :dns, :extra_hosts, :image, :name, :volumes, :port_bindings, :network_mode, :cap_adds, :cap_drops, :ipc_mode, :security_opt
99
attr_reader :memory, :cpu_shares, :env_vars, :labels
1010

1111
def initialize(name)
@@ -16,6 +16,7 @@ def initialize(name)
1616
@cap_adds = []
1717
@cap_drops = []
1818
@labels = {}
19+
@security_opt = []
1920
@network_mode = 'bridge'
2021
end
2122

@@ -38,6 +39,7 @@ def self.from_env
3839
s.memory = fetch(:memory, 0)
3940
s.cpu_shares = fetch(:cpu_shares, 0)
4041
s.ipc_mode = fetch(:ipc_mode, nil)
42+
s.security_opt = fetch(:security_opt, [])
4143

4244
s.add_labels(fetch(:labels, {}))
4345
s.add_env_vars(fetch(:env_vars, {}))
@@ -100,6 +102,10 @@ def ipc_mode=(mode)
100102
@ipc_mode = mode
101103
end
102104

105+
def add_security_opt(seccomp)
106+
@security_opt << seccomp
107+
end
108+
103109
def build_config(server_hostname, &block)
104110
container_config = {}.tap do |c|
105111
c['Image'] = image
@@ -164,6 +170,9 @@ def build_host_config(restart_policy = nil)
164170
# Set ipc mode
165171
host_config['IpcMode'] = ipc_mode if ipc_mode
166172

173+
# Set seccomp profile
174+
host_config['SecurityOpt'] = security_opt unless security_opt.nil? || security_opt.empty?
175+
167176
# Restart Policy
168177
if restart_policy
169178
host_config['RestartPolicy'] = {}

spec/service_spec.rb

+5-1
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
set(:binds, [ Centurion::Service::Volume.new('/foo', '/foo/bar') ])
1818
set(:port_bindings, [ Centurion::Service::PortBinding.new(12340, 80, 'tcp') ])
1919
set(:labels, labels)
20+
set(:security_opt, ['seccomp=unconfined'])
2021

2122
svc = Centurion::Service.from_env
2223
expect(svc.name).to eq('mycontainer')
@@ -27,6 +28,7 @@
2728
expect(svc.port_bindings.size).to eq(1)
2829
expect(svc.port_bindings.first.container_port).to eq(80)
2930
expect(svc.labels).to eq(labels)
31+
expect(svc.security_opt).to eq(['seccomp=unconfined'])
3032
end
3133

3234
it 'starts with a command' do
@@ -171,6 +173,7 @@
171173
service.cap_adds = ['IPC_BIND', 'NET_RAW']
172174
service.cap_drops = ['DAC_OVERRIDE']
173175
service.add_volume('/volumes/redis.8000', '/data')
176+
service.security_opt = 'seccomp=unconfined'
174177

175178
expect(service.build_host_config(Centurion::Service::RestartPolicy.new('on-failure', 10))).to eq({
176179
'Binds' => ['/volumes/redis.8000:/data'],
@@ -184,7 +187,8 @@
184187
'RestartPolicy' => {
185188
'Name' => 'on-failure',
186189
'MaximumRetryCount' => 10
187-
}
190+
},
191+
'SecurityOpt' => 'seccomp=unconfined'
188192
})
189193
end
190194

0 commit comments

Comments
 (0)