-
Notifications
You must be signed in to change notification settings - Fork 175
Open
Labels
area/appliancearea/securityManagement of security functionality and other issues that impact securityManagement of security functionality and other issues that impact securitycomponent/portlayercomponent/portlayer/storageseverity/2-seriousHigh usability or functional impact. Often has no workaround.High usability or functional impact. Often has no workaround.
Milestone
Description
Story
As a VIC user I want to be able to pull images
As a security engineer I want all VCH endpointVM components running with least privilege
Detail
We currently mount image disks into the endpointVM in order to extract the image contents. To do so we require sufficient privileges. This means either:
- CAP_SYS_ADMIN
- sudo mount with pattern matching, but then we'd have to shell out to the mount command
- splitting portlayer. storage into a separate component (it was architected for this) with different privileges to the rest of the portlayer components.
Estimate is for (1)
Acceptance
portlayer runs as un-privileged user but can still pull images
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
area/appliancearea/securityManagement of security functionality and other issues that impact securityManagement of security functionality and other issues that impact securitycomponent/portlayercomponent/portlayer/storageseverity/2-seriousHigh usability or functional impact. Often has no workaround.High usability or functional impact. Often has no workaround.