seg_yinzy
/
dify-docs
mirror of https://github.com/langgenius/dify-docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: code

doc/update-install
Yeuoly 2024-04-15 10:57:56 +08:00
parent 5b771d4cb9
commit e2041f89db
No known key found for this signature in database
GPG Key ID: A66E7E320FB19F61
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
en/getting-started/install-self-hosted/install-faq.md
View File

@ -203,11 +203,12 @@ VECTOR_STORE: weaviate
flask vdb-migrarte # or docker exec -it docker-api-1 flask vdb-migrarte
```
### 16. Why is SYS_ADMIN permission needed?**
### 16. Why is SYS_ADMIN permission needed?
#### **Why does the sandbox service need SYS_ADMIN permission?**
#### Why does the sandbox service need SYS_ADMIN permission?
The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
#### **How does the sandbox service ensure security?**
#### How does the sandbox service ensure security?
As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.