types of containers

[cgwalters]

Right now we're using the defaults for Docker (of the host) - uid 0, default seccomp policy, etc.

There are cases where we want to be both more and less restrictive. First, I think we should push a lot of users towards OpenShift v3's RunAsRange SCC by default. Though this would break make install.

Second, I'd like to support recursive containerization - we should provide containers with access to bubblewrap. This is somewhat tricky to implement securely with Docker today - we have to have CAP_SYS_ADMIN etc. in the bounding set of the container. The easiest thing I can think of right now is to only support this with trusted base images, and explicitly turn off every other setuid binary (mount everything nosuid except for a special volume mount with bwrap?) Alternatively, we could run Docker (or any other container framework) with userns enabled (recursively) - segregate these hosts from the rest of the cluster which doesn't need it.