All Products
Search
Document Center

Elastic Container Instance:Configure a security context for an elastic container instance or a container

Last Updated:Aug 05, 2024

This topic describes how to configure a security context and define permissions and access control settings for an elastic container instance or a container.

Background information

Security contexts define permissions and access control settings for elastic container instances or containers. Examples of security context settings include Discretionary Access Control, Security Enhanced Linux (SELinux), and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.

You can configure security contexts at the following levels:

  • Instances

    Elastic Container Instance allows you to modify sysctl parameters by configuring a security context for an instance. The security settings that you specify for an instance apply to all containers and volumes in the instance.

  • Containers

    Elastic Container Instance allows you to modify the runAsUser and capabilities parameters by configuring a security context for a container. The security settings that you specify for a container apply only to the specified container.

Configure a security context for an instance

Feature description

In a Linux system, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by running the following command. For more information, see sysctl.sh.

sysctl -a

You can modify the sysctl and runAsUser parameters by configuring a security context for a pod.

Warning

To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed. For more information, see sysctl.

The following sysctl parameters can be modified in Elastic Container Instance:

  • kernel.shm*

  • kernel.msg*

  • kernel.sem

  • fs.mqueue.*

  • net.* (except net.ipv4.tcp_syncookies)

  • vm.min_free_kbytes

    We recommend that you specify a value for vm.min_free_kbytes that is not greater than 20% of the total memory size.

Configuration description

When you call the CreateContainerGroup API operation to create an elastic container instance, you can use SecurityContext.Sysctl-related parameters or HostSecurityContext.Sysctl-related parameters to configure a security context for the instance. SecurityContext.Sysctl-related parameters are used to modify safe sysctls, and HostSecurityContext.Sysctl-related parameters are used to modify unsafe sysctls. The following table describes the relevant parameters. For more information, see CreateContainerGroup.

Parameter

Type

Example

Description

SecurityContext.Sysctl.N.Name

string

net.ipv4.ping_group_range

The name of the safe sysctl when you modify sysctls by configuring a security context. Valid values:

  • net.ipv4.ping_group_range

  • net.ipv4.ip_unprivileged_port_start

SecurityContext.Sysctl.N.Value

string

1

The value of the safe sysctl when you modify sysctls by configuring a security context.

HostSecurityContext.Sysctl.N.Name

string

kernel.msgmax

The name of the unsafe sysctl when you modify sysctls by configuring a security context. Valid values:

  • kernel.shm * (except kernel.shm_rmid_forced)

  • kernel.msg*

  • kernel.sem

  • fs.mqueue.*

  • net.* (except for net.ipv4.ip_local_port_range, net.ipv4.tcp_syncookies, net.ipv4.ping_group_range, and net.ipv4.ip_unprivileged_port_start)

HostSecurityContext.Sysctl.N.Value

string

65536

The value of the unsafe sysctl when you modify sysctls by configuring a security context.

Configure a security context for a container

Feature description

You can configure a security context for a specified container. The following table describes the parameters supported by Elastic Container Instance.

Parameter

Description

runAsUser

The ID of the user who runs the container. The parameter settings override the USER command in the Dockerfile.

runAsGroup

The user group that runs the container.

runAsNonRoot

Specifies whether the user runs the container as a non-root user. Valid values: true or false. Default value: false.

privileged

Specifies whether the container is run in privileged mode. A value of true specifies that the container is run in privileged mode. Default value: false.

Note

The privileged container feature is in internal preview. To use the feature, submit a ticket.

capabilities

The permissions that are granted to processes in the container. For more information, see Linux capabilities.

You can configure the following permissions:

  • AUDIT_WRITE

  • CHOWN

  • DAC_OVERRIDE

  • FSETID

  • FOWNER

  • KILL

  • MKNOD

  • NET_ADMIN

  • NET_BIND_SERVICE

  • NET_RAW

  • SETGID

  • SETUID

  • SETFCAP

  • SETPCAP

  • SYS_CHROOT

  • SYS_PTRACE

  • SYS_RAWIO

Note

You cannot grant the SYS_RAWIO permission to processes. To use SYS_RAWIO, submit a ticket.

The following table describes some parameters that are not supported and the default values of the parameters.

Unsupported parameters

Description

AllowedProcMountTypes

The allowed proc mount types for the container. Default value: DefaultProcMount.

readOnlyRootFilesystem

Species whether the root file system that the container runs is read-only. Default value: true.

Configuration description

When you call the CreateContainerGroup API operation to create an elastic container instance, you can use Container.N.SecurityContext-related parameters to configure a security context for the container. The following table describes the relevant parameters. For more information, see CreateContainerGroup.

Parameter

Type

Example

Description

Container.N.SecurityContext.Capability.Add.N

array

NET_ADMIN

The permissions that are granted to processes in the container.

Container.N.SecurityContext.ReadOnlyRootFilesystem

boolean

true

Specifies whether the root file system on which the container runs is read-only. Set the value to true.

Container.N.SecurityContext.RunAsUser

long

1000

The ID of the user that runs the container.

Container.N.SecurityContextRunAsGroup

long

3000

The user group that runs the container.

Container.N.SecurityContextRunAsNonRoot

boolean

true

Specifies whether to run the container as a non-root user. Default value: false. Valid values:

  • true: runs the container as a non-root user.

  • false: runs the container as a root user.

Container.N.SecurityContextPrivileged

boolean

true

Specifies whether to enable privileged mode for the container. That is, whether to run the container in privileged mode. Default value: false. Valid values:

  • true: enables privileged mode for the container.

  • false: does not enable privileged mode for the container.

Note

The privileged container feature is in internal preview. To use the feature, submit a ticket.

Note

You can also configure security contexts for init containers. The parameters that you need to configure are similar to the parameters in the preceding table, but you cannot not configure the SecurityContextRunAsGroup and SecurityContextRunAsNonRoot parameters for init containers.