Docker Containerization for TERR Scripts
Scripts running in a container but not using restricted execution mode have full access to the Docker container and have permission to do anything that is possible to do from within the container. The level of isolation a container provides depends on the Docker installation and the privileges given to these containers.
| Configuration | Description |
|---|---|
| TERR service host isolation | Scripts are prohibited from accessing the file system of the host computer running the TERR service. |
| User isolation | The use of engine containers ensures that the same execution environment is not re-used for multiple data functions initiated by different users. |
| Network isolation | Depending on configuration, the TERR scripts
can access external network and other Docker containers that are available from
within a container. In many cases, a default installation with engine
containers lets scripts access the external network, including the internet,
and to access other Docker containers. To restrict access to the network, the
Docker containers must be configured to restrict network access. The container
options should not be used without
terr.restricted.execution.mode=true or
additional network configuration, if network isolation is needed.
|