...
This blog post is written for software developers who understand basic concepts about containerized applications (hereinafter referred to as containers), and are new to using Open Horizon to deliver edge computing services.
On a host machine, some tasks can only be performed by an account with root access. This means that the account you are currently logged in as is either the root account itself (generally not a good idea), or your account has acquired root-level privileges through `sudo`. Likewise, containers generally do not need privileged mode on the host: to be run as the root user or to have root-level access on the host computer.
In Open Horizon and all commercial distributions based on it, you have the ability to specify that a service should be deployed with privileged process execution enabled. By default, it is disabled. You must explicitly enable it in the respective Service Definition file to use it. And any agreement that is negotiated to run that service implies that the target nodes must also explicitly allow that in their Node Policy file.for each container that needs to run in this mode. And further, any node on which you want to deploy that service must also explicitly allow privileged mode containers.
If you would like to learn more about the agreement process between nodes and services, please watch the short Patterns and Policies video.. This is an important concept to understand because a human operator cannot just deploy a service to a specific node. Instead, the node has a vote in the agreement negotiation process which is mediated by the AgreementBot. If the service definition or one of its dependencies requires privileged mode, the node policy must also allow privileged mode, or else an agreement will not be formed. The reason for requiring the node policy file to expliocitly explicitly enable privileged mode is because the node owner gets a say/vote in what runs on the node. This is the whole purpose of the node policy, to give the node owner agency in the decision about what runs there.
Check your privilege
On a host machine, some tasks can only be performed by an account with root access. This means that the account you are currently logged in as is either the root account itself (generally not a good idea), or your account has acquired root-level privileges through `sudo`. Likewise, containers generally do not need privileged mode on the host: to be run as the root user or to have root-level access on the host computer.
...
If the service definition or one of its dependencies requires privileged mode, the node policy must also allow privileged mode, or else services will not be deployed to the node.
How does privileged process execution impact security?
A major security principle the Open Horizon project follows is: "All parties are untrusted by default." As a result, Node Policies and Service Definitions do not allow privileged process execution by default. You must explicitly enable it in both the node and the service if you want to deploy and run a service that requires it.
How does privileged process execution impact security?
A privileged However, a privileged container is a powerful and potentially dangerous tool and should not be used without considering alternatives. If you run a container with privileged access, it can access all resources on the host system as the root user. If a privileged container can be hacked by a third party, that third party could then gain access to all resources on the host computer.
Therefore, try not to use privileged containers. If you must, ensure they use the following guidelines to ensure that privileged containers:
- are thoroughly and continuously vetted for vulnerabilities
...
- have a narrow scope for their duties ... meaning they should only perform a specific task
...
...
- only mount necessary host directories and devices
...
- (Specified in the Service Definition file. See the example at the bottom of this blog post.)
Why do we use it (what is it good for)?
...