blob: 0c278d37c9cf1d5d5b16336a164568c982f179f7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
version: 1
kinds:
- name: frr
cap-add:
# Zebra requires these
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- AUDIT_WRITE # needed for ssh pty allocation
- name: ceos
init: false
shell: false
merge: ["env"]
# Should we cap-drop some of these in privileged mode?
# ceos kind is special. munet will add args to /sbin/init for each
# environment variable of the form `systemd.setenv=ENVNAME=VALUE` for each
# environment varialbe named ENVNAME with a value of `VALUE`. If cmd: is
# changed to anything but `/sbin/init` munet will not do this.
cmd: /sbin/init
privileged: true
env:
- name: "EOS_PLATFORM"
value: "ceoslab"
- name: "container"
value: "docker"
- name: "ETBA"
value: "4"
- name: "SKIP_ZEROTOUCH_BARRIER_IN_SYSDBINIT"
value: "1"
- name: "INTFTYPE"
value: "eth"
- name: "MAPETH0"
value: "1"
- name: "MGMT_INTF"
value: "eth0"
- name: "CEOS"
value: "1"
# cap-add:
# # cEOS requires these, except GNMI still doesn't work
# # - NET_ADMIN
# # - NET_RAW
# # - SYS_ADMIN
# # - SYS_RESOURCE # Required for the CLI
# All Caps
# - AUDIT_CONTROL
# - AUDIT_READ
# - AUDIT_WRITE
# - BLOCK_SUSPEND
# - CHOWN
# - DAC_OVERRIDE
# - DAC_READ_SEARCH
# - FOWNER
# - FSETID
# - IPC_LOCK
# - IPC_OWNER
# - KILL
# - LEASE
# - LINUX_IMMUTABLE
# - MKNOD
# - NET_ADMIN
# - NET_BIND_SERVICE
# - NET_BROADCAST
# - NET_RAW
# - SETFCAP
# - SETGID
# - SETPCAP
# - SETUID
# - SYSLOG
# - SYS_ADMIN
# - SYS_BOOT
# - SYS_CHROOT
# - SYS_MODULE
# - SYS_NICE
# - SYS_PACCT
# - SYS_PTRACE
# - SYS_RAWIO
# - SYS_RESOURCE
# - SYS_TIME
# - SYS_TTY_CONFIG
# - WAKE_ALARM
# - MAC_ADMIN - Smack project?
# - MAC_OVERRIDE - Smack project?
|
