summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flags/src/main/java/com/yahoo/vespa/flags/Flags.java12
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java14
2 files changed, 2 insertions, 24 deletions
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index a5071e9cda3..a17b4aa76c3 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -205,18 +205,6 @@ public class Flags {
"Takes effect on next node agent tick (but does not clear existing failure reports)",
HOSTNAME);
- public static final UnboundBooleanFlag RESTRICT_ACQUIRING_NEW_PRIVILEGES = defineFeatureFlag(
- "restrict-acquiring-new-privileges", false,
- "Whether docker container processes should be prevented from acquiring new privileges",
- "Takes effect on container creation",
- APPLICATION_ID, NODE_TYPE, HOSTNAME);
-
- public static final UnboundListFlag<String> AUDITED_PATHS = defineListFlag(
- "audited-paths", List.of(), String.class,
- "List of paths that should audited",
- "Takes effect on next host admin tick",
- HOSTNAME);
-
public static final UnboundBooleanFlag GENERATE_L4_ROUTING_CONFIG = defineFeatureFlag(
"generate-l4-routing-config", false,
"Whether routing nodes should generate L4 routing config",
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
index 8ce15db874c..dbf6cddce83 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
@@ -2,15 +2,11 @@
package com.yahoo.vespa.hosted.node.admin.docker;
import com.google.common.net.InetAddresses;
-import com.yahoo.config.provision.ApplicationId;
import com.yahoo.config.provision.DockerImage;
import com.yahoo.config.provision.HostName;
import com.yahoo.config.provision.NodeType;
import com.yahoo.config.provision.SystemName;
-import com.yahoo.vespa.flags.BooleanFlag;
-import com.yahoo.vespa.flags.FetchVector;
import com.yahoo.vespa.flags.FlagSource;
-import com.yahoo.vespa.flags.Flags;
import com.yahoo.vespa.hosted.dockerapi.Container;
import com.yahoo.vespa.hosted.dockerapi.ContainerResources;
import com.yahoo.vespa.hosted.dockerapi.ContainerStats;
@@ -54,13 +50,11 @@ public class DockerOperationsImpl implements DockerOperations {
private final Docker docker;
private final Terminal terminal;
private final IPAddresses ipAddresses;
- private final BooleanFlag noNewPrivilegesFlag;
public DockerOperationsImpl(Docker docker, Terminal terminal, IPAddresses ipAddresses, FlagSource flagSource) {
this.docker = docker;
this.terminal = terminal;
this.ipAddresses = ipAddresses;
- this.noNewPrivilegesFlag = Flags.RESTRICT_ACQUIRING_NEW_PRIVILEGES.bindTo(flagSource);
}
@Override
@@ -90,12 +84,8 @@ public class DockerOperationsImpl implements DockerOperations {
.withAddCapability("SYS_ADMIN") // Needed for perf
.withAddCapability("SYS_NICE"); // Needed for set_mempolicy to work
- boolean noNewPrivileges = noNewPrivilegesFlag
- .with(FetchVector.Dimension.HOSTNAME, context.hostname().value())
- .with(FetchVector.Dimension.APPLICATION_ID, context.node().owner().map(ApplicationId::serializedForm).orElse(null))
- .with(FetchVector.Dimension.NODE_TYPE, context.nodeType().name())
- .value();
- if (noNewPrivileges)
+ // Proxy and controller require new privileges to bind port 443
+ if (context.nodeType() != NodeType.proxy && context.nodeType() != NodeType.controller)
command.withSecurityOpt("no-new-privileges");
if (context.node().membership().map(NodeMembership::clusterType).map("content"::equalsIgnoreCase).orElse(false))