Kai
opened 3 years ago
-
Thanks for submitting the improvement. OneDev by default prevents docker sock mount in executors, and you can enable this only for trusted jobs. This way untrusted jobs should have no way to escape from the container it is running inside.
-
I would like to see an secured docker.sock access e.g. with https://github.com/Tecnativa/docker-socket-proxy That why the api-access can be secured and filtert for only that tasks onedev should be able to do.
may i suggest to use podman instead, rootless and secure by design.
-
Thanks, that sounds like a valid solution for me, did somebody test to run ondev with podman instead of docker? --> if yes, i'll update the documentation regard that, if possible.
-
i suggest only what i use 😁
OneDev running with podman in rootless mode for 5 months. Everything is working and secure.
-
Previous Value Current Value Open
Closed
-
Close this as podman is a popular alternative
| Type |
Improvement
|
| Priority |
Normal
|
| Assignee |
I would like to see an secured docker.sock access e.g. with https://github.com/Tecnativa/docker-socket-proxy That why the api-access can be secured and filtert for only that tasks onedev should be able to do.