open-nomad

History

Seth Hoenig 1e75f99839 drivers/docker+exec+java: disable net_raw capability by default The default Linux Capabilities set enabled by the docker, exec, and java task drivers includes CAP_NET_RAW (for making ping just work), which has the side affect of opening an ARP DoS/MiTM attack between tasks using bridge networking on the same host network. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities This PR disables CAP_NET_RAW for the docker, exec, and java task drivers. The previous behavior can be restored for docker using the allow_caps docker plugin configuration option. A future version of nomad will enable similar configurability for the exec and java task drivers.	2021-05-12 13:22:09 -07:00
..
index.mdx	implement mdx remote	2021-01-05 19:02:39 -05:00
upgrade-specific.mdx	drivers/docker+exec+java: disable net_raw capability by default	2021-05-12 13:22:09 -07:00

Seth Hoenig 1e75f99839 drivers/docker+exec+java: disable net_raw capability by default

The default Linux Capabilities set enabled by the docker, exec, and
java task drivers includes CAP_NET_RAW (for making ping just work),
which has the side affect of opening an ARP DoS/MiTM attack between
tasks using bridge networking on the same host network.

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

This PR disables CAP_NET_RAW for the docker, exec, and java task
drivers. The previous behavior can be restored for docker using the
allow_caps docker plugin configuration option.

A future version of nomad will enable similar configurability for the
exec and java task drivers.

2021-05-12 13:22:09 -07:00

index.mdx

implement mdx remote

2021-01-05 19:02:39 -05:00

upgrade-specific.mdx

drivers/docker+exec+java: disable net_raw capability by default

2021-05-12 13:22:09 -07:00