[caasp-beta] Antw: Re: Antw: Re: Antw: Re: tcpdump
Rob de Canha-Knight
rob.decanha-knight at suse.com
Thu Dec 7 08:25:37 MST 2017
It’s also worth mentioning that we have privileged containers enabled within CaaSP so the vast majority of debugging containers should work without issue when you pass —privileged into the docker run command.
As Martin points out we try to keep the security surface as small as possible by only installing the bare minimum needed to run containers. MicroOS is designed to only run containers and isn’t recommended for running any kind of binary or package so a debug container is the best approach IMHO.
If you have a specific issue with a specific tool inside of a privileged debug container please let us know as we can definitely look into this and try and fix any compatibility issues that may arise.
Sent from my iPhone - please excuse any shortness
> On 7 Dec 2017, at 15:57, Martin Weiss <Martin.Weiss at suse.com> wrote:
>>>>> An other approach for all that debugging purposes could be to use a special
>>>>> docker image / docker container that delivers all the trouble shooting tools
>>>>> required and run that with proper elevated rights..
>> That is either complex, as the container has not all capabilities needed
>> for proper debugging purposes, or a security nightmare, or most probably
> Yes - there is security and complexity assigned - but installing all the required debug packages on all the servers might be even worse from a security point of view and they might not be even part of the CaaSP delivery channels.
> Advantage of a debug container is that it can be added on demand and cleanup is fully automated.. when installing all the debug packages these are a security problem while they are installed and the also need to be upgraded / patched etc.
> So both ways have their pros and cons ;-)
> caasp-beta mailing list
> caasp-beta at lists.suse.com
More information about the caasp-beta