academy/mq-container
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ea38c9cd5c1114bda1cf3dbd6dcba14d5b665105
mq-container/docs/security.md
Stephen Marshall ea38c9cd5c Remove seLinuxOption spc_t from README
2020-02-28 16:49:25 +00:00

1.0 KiB
Raw Blame History

Security

Container runtime

User

The MQ server image is run using the "mqm" user, with a fixed UID and GID of 888.

Capabilities

The MQ Advanced image requires no Linux capabilities, so you can drop any capabilities which are added by default. For example, in Docker you could do the following:

docker run \
  --cap-drop=ALL \
  --env LICENSE=accept \
  --env MQ_QMGR_NAME=QM1 \
  --detach \
  ibm-mqadvanced-server:9.1.4.0-amd64

The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux). This is because it uses the "sudo" command to change passwords inside the container. For example, in Docker, you could do the following:

docker run \
  --cap-drop=ALL \
  --cap-add=CHOWN \
  --cap-add=SETUID \
  --cap-add=SETGID \
  --cap-add=AUDIT_WRITE \
  --env LICENSE=accept \
  --env MQ_QMGR_NAME=QM1 \
  --detach \
  ibm-mqadvanced-server-dev:9.1.4.0-amd64
Reference in New Issue View Git Blame Copy Permalink