CF-239 defaults to Unprivileged Containers on Diego
|
Nicholas Calugar
Hello Cloud Foundry,
As you may have noticed in the release notes for CF-239 [1], Cloud Foundry now defaults to run containers on Diego in unprivileged mode. This greatly improves security as root escalation inside the container is no longer a threat to the host operating system. More information about unprivileged containers can be found here [2]. Please note that this new default only applies to a newly requested process on the Diego backend. Running applications must be restarted or otherwise changed to switch to unprivileged containers. One known incompatibility is running applications that use FUSE file system support. Operators that would like to continue allowing privileged containers on their Cloud Foundry deployment can use the two new deployment manifest properties listed in the Job Spec Changes for CF-239 [3]. [1] https://github.com/cloudfoundry/cf-release/releases/tag/v239 [2] https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user [3] https://github.com/cloudfoundry/cf-release/releases/tag/v239#job-spec-changes Thanks, Nick -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|