scottk/ols-nos
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/ols-nos.git synced 2025-10-31 18:17:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cd914383cf5ae15d11b3bd7d025a381c9f859b51
ols-nos/rules/docker-restapi.mk
Mai Bui 6ea03f9f78 [docker-restapi] limit privileged flag for restapi container (#17138) 
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag

How to verify it
Run restapi sonic-mgmt tests on sn4600c
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
2023-11-21 14:50:31 +08:00

28 lines
935 B
Makefile
Raw Blame History

# docker image for rest-api
DOCKER_RESTAPI_STEM = docker-sonic-restapi
DOCKER_RESTAPI = $(DOCKER_RESTAPI_STEM).gz
$(DOCKER_RESTAPI)_DEPENDS += $(LIBNL3) $(LIBNL_GENL3) \
$(LIBNL_ROUTE3) $(LIBSWSSCOMMON) $(RESTAPI)
$(DOCKER_RESTAPI)_PATH = $(DOCKERS_PATH)/$(DOCKER_RESTAPI_STEM)
$(DOCKER_RESTAPI)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BULLSEYE)
$(DOCKER_RESTAPI)_VERSION = 1.0.0
$(DOCKER_RESTAPI)_PACKAGE_NAME = restapi
ifeq ($(INCLUDE_RESTAPI), y)
SONIC_DOCKER_IMAGES += $(DOCKER_RESTAPI)
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_RESTAPI)
endif
$(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
$(DOCKER_RESTAPI)_RUN_OPT += -t
$(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
$(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/credentials:/etc/sonic/credentials:ro
$(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp
$(DOCKER_RESTAPI)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
Reference in New Issue View Git Blame Copy Permalink