Zun

Allow docker containers to be created with extra capacities or privileged mode

Registered by João Silva on 2018-01-03

For use cases such as Virtualized Network Functions, access and management to the network stack is required. To do so containers should be allowed to be created with extra capacities such as NET_ADMIN. This is already permitted in docker.

$ openstack appcontainer create (...) --cap-add NET_ADMIN
or
$ openstack appcontainer create (...) --privileged

Security considerations suggest that only admin users should be allowed to instantiate containers in this manner.

Blueprint information

Status:
Not started
Approver:
hongbin
Priority:
Medium
Drafter:
João Silva
Direction:
Approved
Assignee:
None
Definition:
Approved
Series goal:
Accepted for victoria
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Per my understanding, this BP has two parts: add support for privileged container, add support for linux capacities. The first one is already supported: https://blueprints.launchpad.net/zun/+spec/support-zun-create-privileged , the latter is not yet supported. This BP is for tracking the latter.
-- hongbin 2020-04-26

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.