Examples of configured runtime profiles

The table below presents a few of the images that are most frequently used by the application, and the settings for their configured restrictions in runtime profiles.

Images and their configured settings

Image name

Restrict container executable modules

Restrict network connections

Nginx

Allowed executable file:

/usr/sbin/nginx

Block outbound connections

Mysql

Allowed executable files:

/usr/bin/awk

/bin/sleep

/usr/bin/mawk

/bin/mkdir

/usr/bin/mysql

/bin/chown

/usr/bin/mysql_tzinfo_to_sql

/bin/bash

/bin/sed

/usr/sbin/mysqld

Block outbound connections

Wordpress

Allowed executable files:

/bin/dash

/usr/bin/mawk

/usr/bin/cut

/bin/bash

/usr/local/bin/php

/usr/bin/head

/usr/bin/sha1sum

/bin/tar

/bin/sed

/bin/rm

/usr/bin/awk

/bin/sh

/usr/sbin/apache2

/bin/chown

/usr/local/bin/apache2-foreground

/bin/ls

/bin/cat

"No" icon.

Node

Allowed executable file:

/usr/local/bin/node

Block outbound connections

MongoDB

Allowed executable files:

/bin/chown

/usr/local/bin/gosu

/usr/bin/mongod

/usr/bin/mongos

/usr/bin/mongo

/usr/bin/id

/bin/bash

/usr/bin/numactl

/bin/dash

/bin/sh

"No" icon.

HAProxy

Allowed executable files:

/bin/dash

/usr/bin/which

/usr/local/sbin/haproxy

/bin/busyboxal/sbin/haproxy-systemd-wrapper

/usr/loc

"No" icon.

Hipache

Allowed executable files:

/usr/bin/python2.7

/usr/bin/nodejs

/usr/bin/redis-server

/bin/dash

/usr/local/bin/hipache

"No" icon.

Drupal

Allowed executable files:

/bin/bash

/bin/rm

/usr/sbin/apache2

"No" icon.

Redis

Allowed executable files:

/bin/bash

/bin/chown

/usr/local/bin/gosu

/usr/bin/id

/usr/local/bin/redis-server

/bin/sh

/bin/dash

/sbin/redis-cli

/bin/redis-cli

/usr/sbin/redis-cli

/usr/bin/redis-cli

/usr/local/sbin/redis-cli

/usr/local/bin/redis-cli

/bin/busybox

Block outbound connections

Tomcat

Allowed executable files:

/usr/bin/tty

/bin/uname

/usr/bin/dirname

/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java

/bin/dash

/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Block outbound connections

Celery

Allowed executable files:

/bin/dash

/sbin/ldconfig

/bin/uname

/usr/local/bin/python3.4

/bin/sh

"No" icon.

Page top