You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/setup.md
+14Lines changed: 14 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,6 +61,20 @@ This is adequate for single-user setups not exposed to the outside Internet, whi
61
61
***Why**: The default SELinux label for containers (`container_t`) does not allow the creation of namespaces, which gVisor requires for additional isolation . The `container_engine_t` label allows this.
62
62
* If you don't have SELinux enabled, this setting does nothing and may be omitted.
63
63
64
+
#### Minimal Docker compose file
65
+
66
+
```
67
+
services:
68
+
open-webui:
69
+
image: ghcr.io/open-webui/open-webui:main
70
+
security_opt:
71
+
- seccomp:unconfined
72
+
- apparmor=unconfined
73
+
- label=type:container_engine_t
74
+
volumes:
75
+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
76
+
```
77
+
64
78
#### Does the "hard way" actually provide more security than privileged mode?
65
79
66
80
**The short answer**: Yes; a container running in privileged mode basically has full access to the host, whereas the subset of security options listed in the "hard way" still provide isolation.
0 commit comments