Jailer Configuration - documentation clarification

[mtcolman]

Not a bug, but not a feature request. It's related to documentation. On this page in the Jailer Configuration section it states:

For assuring secure isolation in production deployments, Firecracker should must be started using the jailer binary that's part of each Firecracker release, or executed under process constraints equal or more restrictive than those in the jailer.

The key part being Firecracker should must be started. Which is it - "should" or "must" (I presume the latter)?

Thanks.

[KarthikNedunchezhiyan]

I am not so good at this topic, but I found this issue interesting. I prefer the word "should" when that indicates the responsibilities and duties of a person. I prefer the word "must" to enforce the task compulsorily.

There are a lot of cases where developers may decide to start firecracker binary without a jailer. For example, the developer may have ensured the security of the sandbox where the firecracker is going to run. In that case, Jailer is overkill (In terms of security).

In short, In my point of view, Using a jailer is a recommendation rather than strictly enforced. So, I upvote for the "should" 🙂.

[xmarcalx]

Hi,

Currently i have an open PR https://github.com/firecracker-microvm/firecracker/pull/3060#pullrequestreview-1043947084 which actually touched that sentence too and tried to clarify this sentence. Please feel free to comment and review the PR itself :)

@KarthikNedunchezhiyan 's interpretation is also mine at the moment. We recommend in production to use the jailer to mitigate security threat but Firecracker can work without the Jailer and if the user does not care or mitigated in other forms sch risk it may be a valid solution as well.

[dianpopa]

Aforementioned PR #3060 was merged.