You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/setup.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ You can do this the **easy way** (good for single-user setups) by running Open W
17
17
<details>
18
18
<summary>
19
19
20
-
### The easy way: Run in `--privileged` mode
20
+
### The easy way: Run Open WebUI in privileged mode
21
21
22
22
</summary>
23
23
@@ -28,7 +28,7 @@ You can do this the **easy way** (good for single-user setups) by running Open W
28
28
29
29
However, **code running as part of this code execution function/tool will still run in a secure gVisor sandbox** and cannot impact the host.
30
30
31
-
This is adequate for single-user setups not exposed to the outside Internet, while still providing strong security against LLMs generating malicious code. However, if you are running a multi-user setup, or if you do not fully trust Open WebUI's code, or you the Open WebUI server's port is exposed to the outside Internet, you may want to harden it further. If so, **don't** set the `privileged` setting, and read on to the hard way instead.
31
+
This is adequate for single-user setups not exposed to the outside Internet, while still providing strong security against LLMs generating malicious code. However, if you are running a multi-user setup, or if you do not fully trust Open WebUI's code, or the Open WebUI server's HTTP port is exposed to the outside Internet, you may want to harden it further. If so, **don't** set the `privileged` setting, and read on to the hard way instead.
32
32
33
33
</details>
34
34
@@ -39,28 +39,28 @@ This is adequate for single-user setups not exposed to the outside Internet, whi
39
39
40
40
</summary>
41
41
42
-
Setting `--privileged=true` essentially removes all security measures from a container. The below is the minimal subset of changes that `--privileged=true` does that is still necessary for sandboxing.
42
+
The below is the minimal subset of changes that `--privileged=true` does that is still necessary for sandboxing to work.
43
43
44
-
* Remove the container's default **system call filter**:
44
+
* Remove the container's default **system call filter** (`seccomp`):
45
45
* On **Docker**: Add `--security-opt=seccomp=unconfined` to `docker run`.
46
46
* On **Kubernetes**: Set [`spec.securityContext.seccompProfile.type`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container) to `Unconfined`.
47
-
* If you would like to use a specific seccomp profile rather than completely removing system call filter, you can use [Dangerzone's seccomp profile](https://github.com/freedomofpress/dangerzone/blob/main/share/seccomp.gvisor.json) which is tuned to allow gVisor system calls through.
47
+
* If you would like to use a specific seccomp profile rather than running without system call filtering, you can use [Dangerzone's seccomp profile](https://github.com/freedomofpress/dangerzone/blob/main/share/seccomp.gvisor.json) which is tuned to allow gVisor system calls through.
48
48
***Why**: By default, some system calls are blocked by the [container runtime's default system call filter](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile). The use of these system calls **enhances security when running subcontainers**, but they are blocked by default because most containerized applications don't ever *need* to create subcontainers. gVisor, however, does. Specifically, gVisor needs to:
49
49
* ... create isolated namespaces using the [`unshare(2)` system call](https://www.man7.org/linux/man-pages/man2/unshare.2.html)
50
50
* ... create isolated chroots via the [`mount(2)` system call](https://www.man7.org/linux/man-pages/man2/mount.2.html)
51
51
* ... `pivot_root` into these roots via the [`pivot_root(2)` system call](https://www.man7.org/linux/man-pages/man2/pivot_root.2.html)
52
52
* ... trace sandboxed processes to block their system calls from reaching the host Linux kernel using the [`ptrace(2)` system call](https://www.man7.org/linux/man-pages/man2/ptrace.2.html)
53
-
***Mount `cgroupfs` as writable**.
53
+
***Mount `cgroupfs` as writable**:
54
54
* On **Docker**: Add `--mount=type=bind,source=/sys/fs/cgroup,target=/sys/fs/cgroup,readonly=false` to `docker run`.
55
55
* On **Kubernetes**: Add a [`hostPath` volume](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) with `path` set to `/sys/fs/cgroup`, then mount it in your container's `volumeMounts` with options `mountPath` set to `/sys/fs/cgroup` and `readOnly` set to `false`.
56
56
***Why**: This is needed so that gVisor can create child [cgroups](https://en.wikipedia.org/wiki/Cgroups), necessary to enforce per-sandbox memory usage limits.
57
-
***Set the `container_engine_t` label**:
57
+
***Set the `container_engine_t`SELinux label**:
58
58
* On **Docker**: Add `--security-opt=label=type:container_engine_t` to `docker run`.
59
59
* On **Kubernetes**: Set [`spec.securityContext.seLinuxOptions.type`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container) to `container_engine_t`.
60
60
***Why**: The default SELinux label for containers (`container_t`) does not allow the creation of namespaces, which gVisor requires for additional isolation . The `container_engine_t` label allows this.
61
61
* If you don't have SELinux enabled, this setting does nothing and may be omitted.
62
62
63
-
NOTE: Per bug reports, you may also need to set `--cgroupns=host` (see issue #2 for more details). This is temporary and should stop being required soon.
63
+
NOTE: Per bug reports (see issue #2 and #3), you may also need to set `--cgroupns=host` (see issue #2 for more details). **This is temporary and should stop being required soon.**
0 commit comments