Privileged required #6

deed02392 · 2017-07-20T15:12:18Z

Why is the privileged flag required for the operation of Phlex? Can we address this potential security issue?

d8ahazard · 2017-07-20T15:44:34Z

I honestly don't know that it is. Docker is new to me - I'm always open to suggestions for improvement.

deed02392 · 2017-07-20T15:47:06Z

I think you may have enabled it because you need it to configure the host device to support multicast? Did you write this and have simply forgotten why you enabled it? :-)

d8ahazard · 2017-07-20T17:33:28Z

I think so. I'm seeing some messages in the log with it disabled about iptables needing root privileges. Working on some other things with it at the moment, adding some env variables for the ports. How much do you know about docker? I'm trying to link the Phlex logs to the standard output, but not getting very far...

…

On Thu, Jul 20, 2017 at 10:47 AM, deed02392 ***@***.***> wrote: I think you may have enabled it because you need it to configure the host device to support multicast? Did you write this and have simply forgotten why you enabled it? :-) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#6 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABjuNOkQxLDWwNZcFhNgZyYmSYEto-O9ks5sP3Z8gaJpZM4OeQIY> .

deed02392 · 2017-07-22T15:29:37Z

I think you need to ensure Phlex runs as PID 1, by using ENTRYPOINT exec form: https://docs.docker.com/engine/reference/builder/#exec-form-entrypoint-example

d8ahazard · 2017-08-04T14:10:48Z

@deed02392

https://forum.linuxserver.io/thread-495.html

I'm trying to get LSIO to make a proper image so this can become a non-issue. Pop over and show some support! :D

aptalca · 2017-08-07T19:49:50Z

@deed02392
--privileged is used for two reasons:

iptables
sysctl (for multicast)

iptables without privileged works if --cap-add=NET_ADMIN is added but I'm not sure what capability provides sysctl ability. I tried some of the obvious ones but they didn't work

deed02392 · 2017-08-07T22:03:11Z

What specific sysctl parameters are getting changed? They can be modified with the call to run the container: --sysctl flag.

…

On 7 August 2017 at 20:49, aptalca ***@***.***> wrote: @deed02392 <https://github.com/deed02392> --privileged is used for two reasons: 1. iptables 2. sysctl (for multicast) iptables without privileged works if --cap-add=NET_ADMIN is added but I'm not sure what capability provides sysctl ability. I tried some of the obvious ones but they didn't work — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADX01w3xMhrNTHheHR3pKgju0uk3gLuHks5sV2pfgaJpZM4OeQIY> .

-- From George Hafiz

aptalca · 2017-08-07T22:25:29Z

https://github.com/d8ahazard/docker-phlex/blob/master/root/etc/cont-init.d/40-install#L9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Privileged required #6

Privileged required #6

deed02392 commented Jul 20, 2017

d8ahazard commented Jul 20, 2017

deed02392 commented Jul 20, 2017

d8ahazard commented Jul 20, 2017 via email

deed02392 commented Jul 22, 2017

d8ahazard commented Aug 4, 2017

aptalca commented Aug 7, 2017

deed02392 commented Aug 7, 2017 via email

aptalca commented Aug 7, 2017

Privileged required #6

Privileged required #6

Comments

deed02392 commented Jul 20, 2017

d8ahazard commented Jul 20, 2017

deed02392 commented Jul 20, 2017

d8ahazard commented Jul 20, 2017 via email

deed02392 commented Jul 22, 2017

d8ahazard commented Aug 4, 2017

aptalca commented Aug 7, 2017

deed02392 commented Aug 7, 2017 via email

aptalca commented Aug 7, 2017