From e2041f89dbe0e5179013137e1e555e0a959815a6 Mon Sep 17 00:00:00 2001 From: Yeuoly Date: Mon, 15 Apr 2024 10:57:56 +0800 Subject: [PATCH] fix: code --- en/getting-started/install-self-hosted/install-faq.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/en/getting-started/install-self-hosted/install-faq.md b/en/getting-started/install-self-hosted/install-faq.md index 0d5f485..a66e1f8 100644 --- a/en/getting-started/install-self-hosted/install-faq.md +++ b/en/getting-started/install-self-hosted/install-faq.md @@ -203,11 +203,12 @@ VECTOR_STORE: weaviate flask vdb-migrarte # or docker exec -it docker-api-1 flask vdb-migrarte ``` -### 16. Why is SYS_ADMIN permission needed?** +### 16. Why is SYS_ADMIN permission needed? -#### **Why does the sandbox service need SYS_ADMIN permission?** +#### Why does the sandbox service need SYS_ADMIN permission? The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`. -#### **How does the sandbox service ensure security?** +#### How does the sandbox service ensure security? + As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.