[docker-database] limit privileged flag for database container

[maipbui]

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking

• Microsoft ADO (number only): 14807420

How I did it

Reduce linux capabilities in privileged flag

How to verify it

Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.

admin@vlab-08:~$ docker inspect database0 | jq '.[0] | {CapAdd: .HostConfig.CapAdd, Privileged: .HostConfig.Privileged, AppArmor: .AppArmorProfile, Security
Opt: .HostConfig.SecurityOpt, Devices: .HostConfig.Devices, MaskedPath: .HostConfig.MaskedPaths, ReadonlyPaths: .HostConfig.ReadonlyPaths}'
{
  "CapAdd": null,
  "Privileged": false,
  "AppArmor": "unconfined",
  "SecurityOpt": [
    "apparmor=unconfined"
  ],
  "Devices": [],
  "MaskedPath": [],
  "ReadonlyPaths": []
}

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[maipbui]

--security-opt apparmor=unconfined --security-opt="systempaths=unconfined"

These arguments are necessary for test_snmp_loopback test case

========================================================================== FAILURES ===========================================================================
___________________________________________________________ test_snmp_loopback[vlab-08-IPv6Address] ___________________________________________________________

duthosts = [<MultiAsicSonicHost vlab-08>], enum_rand_one_per_hwsku_frontend_hostname = 'vlab-08'
nbrhosts = {'ARISTA01T0': <EosHost VM0129>, 'ARISTA01T2': <EosHost VM0128>}
tbinfo = {'auto_recover': 'False', 'comment': 'Tests multi-asic virtual switch vm', 'conf-name': 'vms-kvm-four-asic-t1-lag', 'duts': ['vlab-08'], ...}
localhost = <tests.common.devices.local.Localhost object at 0x7f0cb45781f0>
creds_all_duts = {'vlab-08': {'ansible_altpasswords': [], 'ansible_become_pass': 'password', 'ansible_ssh_pass': 'password', 'ansible_ssh_user': 'user', ...}}
ip_version = <class 'ipaddress.IPv6Address'>

    @pytest.mark.parametrize('ip_version', [ipaddress.IPv4Address, ipaddress.IPv6Address])
    def test_snmp_loopback(duthosts, enum_rand_one_per_hwsku_frontend_hostname,
                           nbrhosts, tbinfo, localhost, creds_all_duts, ip_version):
        """
        Test SNMP query to DUT over loopback IP
          - Send SNMP query over loopback IP from one of the BGP Neighbors
          - Get SysDescr from snmpfacts
          - compare result from snmp query over loopback IP and snmpfacts
        """
        duthost = duthosts[enum_rand_one_per_hwsku_frontend_hostname]
        hostip = duthost.host.options['inventory_manager'].get_host(
            duthost.hostname).vars['ansible_host']
        snmp_facts = get_snmp_facts(
            localhost, host=hostip, version="v2c",
            community=creds_all_duts[duthost.hostname]["snmp_rocommunity"], wait=True)['ansible_facts']
        config_facts = duthost.config_facts(
            host=duthost.hostname, source="persistent")['ansible_facts']
        # Get first neighbor VM information
        nbr = nbrhosts[list(nbrhosts.keys())[0]]

        for ip in config_facts['LOOPBACK_INTERFACE']['Loopback0']:
            loip = ip.split('/')[0]
            ipaddr = ipaddress.ip_address(loip)
            if not isinstance(ipaddr, ip_version):
                continue
            if isinstance(ipaddr, ipaddress.IPv6Address):
                # SNMP over IPv6 not supported in single-asic
                if not duthost.is_multi_asic:
                    skip_release(duthost, ["202211", "202205", "202305"])
            result = get_snmp_output(loip, duthost, nbr, creds_all_duts)
            assert result is not None, 'No result from snmpget'
            assert len(result['stdout_lines']) > 0, 'No result from snmpget'
            if isinstance(nbr["host"], EosHost):
                stdout_lines = result['stdout_lines'][0][0]
            else:
                stdout_lines = result['stdout_lines'][0]
>           assert "SONiC Software Version" in stdout_lines,\
                "Sysdescr not found in SNMP result from IP {}".format(ip)
E           AssertionError: Sysdescr not found in SNMP result from IP FC00:1::32/128

config_facts = {'ACL_TABLE': {'DATAACL': {'policy_desc': 'DATAACL', 'ports': ['PortChannel101', 'PortChannel102'], 'stage': 'ingress'... and/or use are subject to monitoring.\n\nHelp:    [https://sonic-net.github.io/SONiC/\n\n](https://sonic-net.github.io/SONiC/\n\n)', 'state': 'disabled'}}, ...}
creds_all_duts = {'vlab-08': {'ansible_altpasswords': [], 'ansible_become_pass': 'password', 'ansible_ssh_pass': 'password', 'ansible_ssh_user': 'user', ...}}
duthost    = <MultiAsicSonicHost vlab-08>
duthosts   = [<MultiAsicSonicHost vlab-08>]
enum_rand_one_per_hwsku_frontend_hostname = 'vlab-08'
hostip     = '10.250.0.112'
ip         = 'FC00:1::32/128'
ip_version = <class 'ipaddress.IPv6Address'>
ipaddr     = IPv6Address('fc00:1::32')
localhost  = <tests.common.devices.local.Localhost object at 0x7f0cb45781f0>
loip       = 'FC00:1::32'
nbr        = <EosHost VM0128>
nbrhosts   = {'ARISTA01T0': <EosHost VM0129>, 'ARISTA01T2': <EosHost VM0128>}
result     = {'changed': False, 'stdout': ["Timeout: No Response from FC00:1::32.\n% 'snmpget -v2c -c public FC00:1::32 .1.3.6.1.2....': 'all', 'retries': 10, 'interval': 1, 'wait_for': None, 'provider': None}}, '_ansible_no_log': None, 'failed': False}
snmp_facts = {'ansible_all_ipv4_addresses': [], 'ansible_sysCachedMemory': 1425364, 'ansible_sysTotalBuffMemory': 59620, 'ansible_sysTotalFreeMemory': 1198412, ...}
stdout_lines = 'Timeout: No Response from FC00:1::32.'
tbinfo     = {'auto_recover': 'False', 'comment': 'Tests multi-asic virtual switch vm', 'conf-name': 'vms-kvm-four-asic-t1-lag', 'duts': ['vlab-08'], ...}

snmp/test_snmp_loopback.py:49: AssertionError
====================================================================== warnings summary =======================================================================
../../../usr/local/lib/python3.8/dist-packages/paramiko/transport.py:236
  /usr/local/lib/python3.8/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
    "class": algorithms.Blowfish,

-- Docs: [https://docs.pytest.org/en/stable/how-to/capture-warnings.html](https://docs.pytest.org/en/stable/how-to/capture-warnings.html)
--------------------------------------------------- generated xml file: /data/sonic-mgmt/tests/logs/tr.xml ----------------------------------------------------
=================================================================== short test summary info ===================================================================
FAILED snmp/test_snmp_loopback.py::test_snmp_loopback[vlab-08-IPv6Address] - AssertionError: Sysdescr not found in SNMP result from IP FC00:1::32/128

[maipbui]

@Yarden-Z @qiluo-msft could you help review? pipeline has passed

[maipbui]

/azpw run ms_conflict

[mssonicbld]

/AzurePipelines run ms_conflict

[azure-pipelines]

No pipelines are associated with this pull request.

[maipbui]

/azpw ms_conflict