DB2 privileged mode is no longer required and should be removed

[rnorth]

Currently our DB2Container class uses privileged mode; I think on the basis of this blog post: https://db2indocker.blogspot.com/2015/04/db2-do-not-start-in-un-privileged.html

Kernel 3.15 went EOL in 2014, so this seems like a workaround that shouldn’t be particularly necessary if it’s just for the reason cited in that blog post.

I would suggest that we remove the requirement for privileged mode for the DB2 container, which would mean that none of our modules use privileged mode at all any more. This is ~ better for everybody's security.

Users would still be able to turn on privileged mode for the DB2 container if their kernel made it essential, but I think this is unlikely.

[kiview]

Interestingly, the docs of the official image still use the --privileged flag in their quick start.
However, I just tried it out with --cap-add IPC_LOCK --cap-add IPC_OWNER, as documented in the blog post, and it works fine, also on Windows.

[rnorth]

@kiview I think we can go further:

The main reason behind this is that DB2 needs larger shared memory segments. By default, Linux containers get shared memory segments of 32 MB in Kernel Versions less than 3.16.
In kernel versions 3.16 and above this issue has been addressed and Linux containers get much larger shared memory segments.

and

Please note that we need to do --ipc="host" only if we are working on kernel version less then 3.16. Note that this reduces the security isolation of your container but still better then the privileged mode.

i.e. with newer kernels I think that DB2 won't be needing to do anything exotic with IPC, which would be even better!

[kiview]

Indeed, --ipc="host" can omitted. However, the capabilities I mentioned were needed on my 5.x kernel.

[linghengqian]

• I will say that I'm curious why Remove privilegedMode in Db2Container #9460 is insufficient to fix the current issue.