文档

Constraints on Container Capabilities

  • The FusionDirector application management does not support the following high-risk container functions:
    • The privileged container cannot be configured.
    • hostPath, emptDir, Secret, and ResourceFile are not supported for volume mounting. Only ConfigMap is supported.
    • The capability set cannot be configured.
    • The user and group IDs of the container cannot be set to 0.
    • The host network cannot be configured.
    • The container probe cannot be configured.
    • Seccomp cannot be configured.
    • Boot commands cannot be configured.
  • When a container is deployed on the Atlas 500 AI edge station (model 3000) WebUI, the configurations of volumes mounting to the host, attached files, host network, and privileged container are not supported. The container cannot be run by the root user, either.
  • The following permissions are restricted for the deployed container:
    • Privilege escalation cannot be performed by setting set-user-ID or set-group-ID file mode.
    • The default capability set supported by Docker is deleted.
    • The root file system of the container is mounted in read-only mode.
Parent topic: Common Measures