seg_yinzy
/
dify-docs
mirror of https://github.com/langgenius/dify-docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: code

doc/update-install
Yeuoly 2024-04-15 10:56:07 +08:00
parent e0fbc0feec
commit 5b771d4cb9
No known key found for this signature in database
GPG Key ID: A66E7E320FB19F61
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
en/getting-started/install-self-hosted/README.md
View File

@ -68,11 +68,6 @@ The Dify Self hosted Edition, which is the open-source on [GitHub](https://githu
![](<../../.gitbook/assets/image (33).png>)
* **Why is SYS_ADMIN permission needed?**
The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.
### Contributing
To ensure proper review, all code contributions - including those from contributors with direct commit access - must be submitted via pull requests and approved by the core development team prior to being merged.

11
en/getting-started/install-self-hosted/install-faq.md
View File

@ -201,4 +201,13 @@ VECTOR_STORE: weaviate
```
flask vdb-migrarte # or docker exec -it docker-api-1 flask vdb-migrarte
```
```
### 16. Why is SYS_ADMIN permission needed?**
#### **Why does the sandbox service need SYS_ADMIN permission?**
The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
#### **How does the sandbox service ensure security?**
As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.