Rancher Answer File Locations

December 14, 2015

They are here: /var/lib/cattle/etc/cattle/dns/answers.json /var/lib/cattle/etc/cattle/metadata/answers.json The DNS answers file has specific entries detailing the answers to be provided to each querying container Rancher is aware of (and controls). Containers running outside of Rancher cannot query this server. The Rancher External DNS server can be used to overcome this. Containers using host-mode networking, using the io.rancher.container.dns: true label will receive the answers detailed in the «default» section. DNS services are provided by the Rancher DNS server which runs on each host in the Network Agent container. ... Read more

Linux Capabilities Required By Containerised Contemporary Network Applications

November 21, 2015

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications. HAProxy : None Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST Keepalived : NET_ADMIN and NET_BROADCAST Mounting NFS : SYS_ADMIN Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command. ... Read more

© 2015 - 2016 Some Guy. All rights reserved.