adding steps to run with enhanced security

securefederatedai · Jan 17, 2025 · 063bb11 · 063bb11
1 parent 810a471
commit 063bb11
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/openfl-docker/README.md b/openfl-docker/README.md
@@ -86,4 +86,26 @@ docker run --rm \
   -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
   --mount type=bind,source=./certs.tar,target=/certs.tar \
   example_workspace bash -c "gramine-sgx fx collaborator start ..."
-```
+```
+
+### Running in Production
+For running [TaskRunner API](https://openfl.readthedocs.io/en/latest/about/features_index/taskrunner.html#running-the-task-runner) in a production environment with enhanced security, use the following parameters to limit CPU, memory, and process IDs, and to prevent privilege escalation:
+
+Example Command:
+```shell
+docker run --rm --name <Aggregator/Collaborator> --network openfl \
+  -v $WORKING_DIRECTORY:/workdir-openfl \
+  --cpus="0.1" \
+  --memory="512m" \
+  --pids-limit 100 \
+  --security-opt no-new-privileges \
+  openfl:latest
+```
+Parameters:
+```shell
+--cpus="0.1": Limits the container to 10% of a single CPU core.
+--memory="512m": Limits the container to 512MB of memory.
+--pids-limit 100: Limits the number of processes to 100.
+--security-opt no-new-privileges: Prevents the container from gaining additional privileges.
+```
+These settings help ensure that your containerized application runs securely and efficiently in a production environment