Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to add linux Capabilities to the container". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to add linux Capabilities to the container".

Docker Container Capabilities

In the docker run command, we can add linux Capabilities to the container through-- cap-add and-- cap-drop. The Capabilities listed in the table below is added to the container by default by docker, and users can remove one or more of them by-- cap-drop.

Docker's capabilitiesLinux capabilitiesCapability DescriptionSETPCAPCAP_SETPCAPModify process capabilities.MKNODCAP_MKNODCreate special files using mknod (2). AUDIT_WRITECAP_AUDIT_WRITEWrite records to kernel auditing log.CHOWNCAP_CHOWNMake arbitrary changes to file UIDs and GIDs (see chown (2)). NET_RAWCAP_NET_RAWUse RAW and PACKET sockets.DAC_OVERRIDECAP_DAC_OVERRIDEBypass file read, write And execute permission checks.FOWNERCAP_FOWNERBypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.FSETIDCAP_FSETIDDon't clear set-user-ID and set-group-ID permission bits when a file is modified.KILLCAP_KILLBypass permission checks for sending signals.SETGIDCAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list.SETUIDCAP_SETUIDMake arbitrary manipulations of process UIDs.NET_BIND_SERVICECAP_NET_BIND_SERVICEBind a socket to internet domain privileged ports (port numbers less than 1024). SYS_CHROOTCAP_SYS_CHROOTUse chroot (2) Change root directory.SETFCAPCAP_SETFCAPSet file capabilities.

The Capabilities listed in the table below is the Capabilities deleted by docker by default, and users can add one or more of them through-- cap-add.

Docker's capabilitiesLinux capabilitiesCapability DescriptionSYS_MODULECAP_SYS_MODULELoad and unload kernel modules.SYS_RAWIOCAP_SYS_RAWIOPerform O port operations (iopl (2) and ioperm (2)). SYS_PACCTCAP_SYS_PACCTUse acct (2), switch process accounting on or off.SYS_ADMINCAP_SYS_ADMINPerform a range of system administration operations.SYS_NICECAP_SYS_NICERaise process nice value (nice (2), setpriority (2)) and change the nice value for arbitrary processes.SYS_RESOURCECAP_SYS_RESOURCEOverride resource Limits.SYS_TIMECAP_SYS_TIMESet system clock (settimeofday (2)) Stime (2), adjtimex (2)) Set real-time (hardware) clock.SYS_TTY_CONFIGCAP_SYS_TTY_CONFIGUse vhangup (2), employ various privileged ioctl (2) operations on virtual terminals.AUDIT_CONTROLCAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.MAC_OVERRIDECAP_MAC_OVERRIDEAllow MAC configuration or state changes. Implemented for the Smack LSM.MAC_ADMINCAP_MAC_ADMINOverride Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). NET_ADMINCAP_NET_ADMINPerform various network-related operations.SYSLOGCAP_SYSLOGPerform privileged syslog (2) operations.DAC_READ_SEARCHCAP_DAC_READ_SEARCHBypass file read permission checks and directory read and execute permission checks.LINUX_IMMUTABLECAP_LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.NET_BROADCASTCAP_NET_BROADCASTMake socket broadcasts, and listen to multicasts.IPC_LOCKCAP_IPC_LOCKLock memory (mlock (2), mlockall (2), mmap (2) Shmctl (2). IPC_OWNERCAP_IPC_OWNERBypass permission checks for operations on System V IPC objects.SYS_PTRACECAP_SYS_PTRACETrace arbitrary processes using ptrace (2). SYS_BOOTCAP_SYS_BOOTUse reboot (2) and kexec_load (2), reboot and load a new kernel for later execution.LEASECAP_LEASEEstablish leases on arbitrary files (see fcntl (2)). WAKE_ALARMCAP_WAKE_ALARMTrigger something that will wake up the system.BLOCK_SUSPENDCAP_BLOCK_SUSPENDEmploy features that can block system suspend.

For example, we can modify the network interface by giving the container add NET_ADMIN Capability, and the corresponding docker run command is as follows:

$docker run-it-rm-cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummyKubernetes SecurityContext

In Kubernetes's definition of Pod, users can add/drop Capabilities to add the Capabilities list to add and the Capabilities list of drop to Pod.spec.containers.sercurityContext.capabilities.

For example, if I want to add NET_ADMIN Capability and delete KILL Capability, the corresponding Pod is defined as follows:

ApiVersion: v1kind: Podmetadata: name: hello-worldspec: containers:-name: friendly-container image: "alpine:3.4" command: ["/ bin/echo", "hello", "world"] securityContext: capabilities: add:-NET_ADMIN drop:-KILL Thank you for reading. This is the content of "how to add linux Capabilities to a container". After the study of this article I believe you have a deeper understanding of how to add linux Capabilities to the container, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.