All Products
Search

This Product

    Elastic Container Instance:Configure a security context for an elastic container instance or a container

    Document Center

    Elastic Container Instance:Configure a security context for an elastic container instance or a container

    Last Updated:Aug 05, 2024

    This topic describes how to configure a security context and define permissions and access control settings for an elastic container instance or a container.

    Background information

    Security contexts define permissions and access control settings for elastic container instances or containers. Examples of security context settings include Discretionary Access Control, Security Enhanced Linux (SELinux), and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.

    You can configure security contexts at the following levels:

    • Instances

      Elastic Container Instance allows you to modify sysctl parameters by configuring a security context for an instance. The security settings that you specify for an instance apply to all containers and volumes in the instance.

    • Containers

      Elastic Container Instance allows you to modify the runAsUser and capabilities parameters by configuring a security context for a container. The security settings that you specify for a container apply only to the specified container.

    Configure a security context for an instance

    Feature description

    In a Linux system, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by running the following command. For more information, see sysctl.sh. 

    sysctl -a

    You can modify the sysctl and runAsUser parameters by configuring a security context for a pod.

    Warning

    To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed. For more information, see sysctl.

    The following sysctl parameters can be modified in Elastic Container Instance:

    • kernel.shm*

    • kernel.msg*

    • kernel.sem

    • fs.mqueue.*

    • net.* (except net.ipv4.tcp_syncookies)

    • vm.min_free_kbytes

      We recommend that you specify a value for vm.min_free_kbytes that is not greater than 20% of the total memory size.

    Configuration description

    When you call the CreateContainerGroup API operation to create an elastic container instance, you can use SecurityContext.Sysctl-related parameters or HostSecurityContext.Sysctl-related parameters to configure a security context for the instance. SecurityContext.Sysctl-related parameters are used to modify safe sysctls, and HostSecurityContext.Sysctl-related parameters are used to modify unsafe sysctls. The following table describes the relevant parameters. For more information, see CreateContainerGroup.

    Parameter

    Type

    Example

    Description

    SecurityContext.Sysctl.N.Name

    string

    net.ipv4.ping_group_range

    The name of the safe sysctl when you modify sysctls by configuring a security context. Valid values:

    • net.ipv4.ping_group_range

    • net.ipv4.ip_unprivileged_port_start

    SecurityContext.Sysctl.N.Value

    string

    1

    The value of the safe sysctl when you modify sysctls by configuring a security context.

    HostSecurityContext.Sysctl.N.Name

    string

    kernel.msgmax

    The name of the unsafe sysctl when you modify sysctls by configuring a security context. Valid values:

    • kernel.shm * (except kernel.shm_rmid_forced)

    • kernel.msg*

    • kernel.sem

    • fs.mqueue.*

    • net.* (except for net.ipv4.ip_local_port_range, net.ipv4.tcp_syncookies, net.ipv4.ping_group_range, and net.ipv4.ip_unprivileged_port_start)

    HostSecurityContext.Sysctl.N.Value

    string

    65536

    The value of the unsafe sysctl when you modify sysctls by configuring a security context.

    Configure a security context for a container

    Feature description

    You can configure a security context for a specified container. The following table describes the parameters supported by Elastic Container Instance.

    Parameter

    Description

    runAsUser

    The ID of the user who runs the container. The parameter settings override the USER command in the Dockerfile.

    runAsGroup

    The user group that runs the container.

    runAsNonRoot

    Specifies whether the user runs the container as a non-root user. Valid values: true or false. Default value: false.

    privileged

    Specifies whether the container is run in privileged mode. A value of true specifies that the container is run in privileged mode. Default value: false.

    Note

    The privileged container feature is in internal preview. To use the feature, submit a ticket.

    capabilities

    The permissions that are granted to processes in the container. For more information, see Linux capabilities.

    You can configure the following permissions:

    • AUDIT_WRITE

    • CHOWN

    • DAC_OVERRIDE

    • FSETID

    • FOWNER

    • KILL

    • MKNOD

    • NET_ADMIN

    • NET_BIND_SERVICE

    • NET_RAW

    • SETGID

    • SETUID

    • SETFCAP

    • SETPCAP

    • SYS_CHROOT

    • SYS_PTRACE

    • SYS_RAWIO

    Note

    You cannot grant the SYS_RAWIO permission to processes. To use SYS_RAWIO, submit a ticket.

    The following table describes some parameters that are not supported and the default values of the parameters.

    Unsupported parameters

    Description

    AllowedProcMountTypes

    The allowed proc mount types for the container. Default value: DefaultProcMount.

    readOnlyRootFilesystem

    Species whether the root file system that the container runs is read-only. Default value: true.

    Configuration description

    When you call the CreateContainerGroup API operation to create an elastic container instance, you can use Container.N.SecurityContext-related parameters to configure a security context for the container. The following table describes the relevant parameters. For more information, see CreateContainerGroup.

    Parameter

    Type

    Example

    Description

    Container.N.SecurityContext.Capability.Add.N

    array

    NET_ADMIN

    The permissions that are granted to processes in the container.

    Container.N.SecurityContext.ReadOnlyRootFilesystem

    boolean

    true

    Specifies whether the root file system on which the container runs is read-only. Set the value to true.

    Container.N.SecurityContext.RunAsUser

    long

    1000

    The ID of the user that runs the container.

    Container.N.SecurityContextRunAsGroup

    long

    3000

    The user group that runs the container.

    Container.N.SecurityContextRunAsNonRoot

    boolean

    true

    Specifies whether to run the container as a non-root user. Default value: false. Valid values:

    • true: runs the container as a non-root user.

    • false: runs the container as a root user.

    Container.N.SecurityContextPrivileged

    boolean

    true

    Specifies whether to enable privileged mode for the container. That is, whether to run the container in privileged mode. Default value: false. Valid values:

    • true: enables privileged mode for the container.

    • false: does not enable privileged mode for the container.

    Note

    The privileged container feature is in internal preview. To use the feature, submit a ticket.

    Note

    You can also configure security contexts for init containers. The parameters that you need to configure are similar to the parameters in the preceding table, but you cannot not configure the SecurityContextRunAsGroup and SecurityContextRunAsNonRoot parameters for init containers.