Skip to content

Commit 28b70f8

Browse files
committed
Further minor tweak to container runtime setup instructions.
1 parent d20ac71 commit 28b70f8

1 file changed

Lines changed: 8 additions & 8 deletions

File tree

docs/setup.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ You can do this the **easy way** (good for single-user setups) by running Open W
1717
<details>
1818
<summary>
1919

20-
### The easy way: Run in `--privileged` mode
20+
### The easy way: Run Open WebUI in privileged mode
2121

2222
</summary>
2323

@@ -28,7 +28,7 @@ You can do this the **easy way** (good for single-user setups) by running Open W
2828

2929
However, **code running as part of this code execution function/tool will still run in a secure gVisor sandbox** and cannot impact the host.
3030

31-
This is adequate for single-user setups not exposed to the outside Internet, while still providing strong security against LLMs generating malicious code. However, if you are running a multi-user setup, or if you do not fully trust Open WebUI's code, or you the Open WebUI server's port is exposed to the outside Internet, you may want to harden it further. If so, **don't** set the `privileged` setting, and read on to the hard way instead.
31+
This is adequate for single-user setups not exposed to the outside Internet, while still providing strong security against LLMs generating malicious code. However, if you are running a multi-user setup, or if you do not fully trust Open WebUI's code, or the Open WebUI server's HTTP port is exposed to the outside Internet, you may want to harden it further. If so, **don't** set the `privileged` setting, and read on to the hard way instead.
3232

3333
</details>
3434

@@ -39,28 +39,28 @@ This is adequate for single-user setups not exposed to the outside Internet, whi
3939

4040
</summary>
4141

42-
Setting `--privileged=true` essentially removes all security measures from a container. The below is the minimal subset of changes that `--privileged=true` does that is still necessary for sandboxing.
42+
The below is the minimal subset of changes that `--privileged=true` does that is still necessary for sandboxing to work.
4343

44-
* Remove the container's default **system call filter**:
44+
* Remove the container's default **system call filter** (`seccomp`):
4545
* On **Docker**: Add `--security-opt=seccomp=unconfined` to `docker run`.
4646
* On **Kubernetes**: Set [`spec.securityContext.seccompProfile.type`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container) to `Unconfined`.
47-
* If you would like to use a specific seccomp profile rather than completely removing system call filter, you can use [Dangerzone's seccomp profile](https://github.com/freedomofpress/dangerzone/blob/main/share/seccomp.gvisor.json) which is tuned to allow gVisor system calls through.
47+
* If you would like to use a specific seccomp profile rather than running without system call filtering, you can use [Dangerzone's seccomp profile](https://github.com/freedomofpress/dangerzone/blob/main/share/seccomp.gvisor.json) which is tuned to allow gVisor system calls through.
4848
* **Why**: By default, some system calls are blocked by the [container runtime's default system call filter](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile). The use of these system calls **enhances security when running subcontainers**, but they are blocked by default because most containerized applications don't ever *need* to create subcontainers. gVisor, however, does. Specifically, gVisor needs to:
4949
* ... create isolated namespaces using the [`unshare(2)` system call](https://www.man7.org/linux/man-pages/man2/unshare.2.html)
5050
* ... create isolated chroots via the [`mount(2)` system call](https://www.man7.org/linux/man-pages/man2/mount.2.html)
5151
* ... `pivot_root` into these roots via the [`pivot_root(2)` system call](https://www.man7.org/linux/man-pages/man2/pivot_root.2.html)
5252
* ... trace sandboxed processes to block their system calls from reaching the host Linux kernel using the [`ptrace(2)` system call](https://www.man7.org/linux/man-pages/man2/ptrace.2.html)
53-
* **Mount `cgroupfs` as writable**.
53+
* **Mount `cgroupfs` as writable**:
5454
* On **Docker**: Add `--mount=type=bind,source=/sys/fs/cgroup,target=/sys/fs/cgroup,readonly=false` to `docker run`.
5555
* On **Kubernetes**: Add a [`hostPath` volume](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) with `path` set to `/sys/fs/cgroup`, then mount it in your container's `volumeMounts` with options `mountPath` set to `/sys/fs/cgroup` and `readOnly` set to `false`.
5656
* **Why**: This is needed so that gVisor can create child [cgroups](https://en.wikipedia.org/wiki/Cgroups), necessary to enforce per-sandbox memory usage limits.
57-
* **Set the `container_engine_t` label**:
57+
* **Set the `container_engine_t` SELinux label**:
5858
* On **Docker**: Add `--security-opt=label=type:container_engine_t` to `docker run`.
5959
* On **Kubernetes**: Set [`spec.securityContext.seLinuxOptions.type`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container) to `container_engine_t`.
6060
* **Why**: The default SELinux label for containers (`container_t`) does not allow the creation of namespaces, which gVisor requires for additional isolation . The `container_engine_t` label allows this.
6161
* If you don't have SELinux enabled, this setting does nothing and may be omitted.
6262

63-
NOTE: Per bug reports, you may also need to set `--cgroupns=host` (see issue #2 for more details). This is temporary and should stop being required soon.
63+
NOTE: Per bug reports (see issue #2 and #3), you may also need to set `--cgroupns=host` (see issue #2 for more details). **This is temporary and should stop being required soon.**
6464

6565
</details>
6666

0 commit comments

Comments
 (0)