6ea03f9f78
Why I did it HLD implementation: Container Hardening (sonic-net/SONiC#1364) Work item tracking Microsoft ADO (number only): 14807420 How I did it Reduce linux capabilities in privileged flag How to verify it Run restapi sonic-mgmt tests on sn4600c Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
28 lines
935 B
Makefile
28 lines
935 B
Makefile
# docker image for rest-api
|
|
|
|
DOCKER_RESTAPI_STEM = docker-sonic-restapi
|
|
DOCKER_RESTAPI = $(DOCKER_RESTAPI_STEM).gz
|
|
|
|
$(DOCKER_RESTAPI)_DEPENDS += $(LIBNL3) $(LIBNL_GENL3) \
|
|
$(LIBNL_ROUTE3) $(LIBSWSSCOMMON) $(RESTAPI)
|
|
|
|
$(DOCKER_RESTAPI)_PATH = $(DOCKERS_PATH)/$(DOCKER_RESTAPI_STEM)
|
|
|
|
$(DOCKER_RESTAPI)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BULLSEYE)
|
|
|
|
$(DOCKER_RESTAPI)_VERSION = 1.0.0
|
|
$(DOCKER_RESTAPI)_PACKAGE_NAME = restapi
|
|
|
|
ifeq ($(INCLUDE_RESTAPI), y)
|
|
SONIC_DOCKER_IMAGES += $(DOCKER_RESTAPI)
|
|
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_RESTAPI)
|
|
endif
|
|
|
|
$(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
|
|
$(DOCKER_RESTAPI)_RUN_OPT += -t
|
|
$(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
|
|
$(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/credentials:/etc/sonic/credentials:ro
|
|
$(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp
|
|
|
|
$(DOCKER_RESTAPI)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
|