CF-239 defaults to Unprivileged Containers on Diego


Nicholas Calugar
 

Hello Cloud Foundry,

As you may have noticed in the release notes for CF-239 [1], Cloud Foundry
now defaults to run containers on Diego in unprivileged mode. This greatly
improves security as root escalation inside the container is no longer a
threat to the host operating system. More information about unprivileged
containers can be found here [2].

Please note that this new default only applies to a newly requested process
on the Diego backend. Running applications must be restarted or otherwise
changed to switch to unprivileged containers.

One known incompatibility is running applications that use FUSE file system
support. Operators that would like to continue allowing privileged
containers on their Cloud Foundry deployment can use the two new deployment
manifest properties listed in the Job Spec Changes for CF-239 [3].


[1] https://github.com/cloudfoundry/cf-release/releases/tag/v239
[2]
https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user
[3]
https://github.com/cloudfoundry/cf-release/releases/tag/v239#job-spec-changes


Thanks,

Nick

--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.