Docker containers before 1.2 could either be given complete capabilities under privileged mode, or they can all follow a whitelist of allowed capabilities while dropping all others. If the flag --privileged
is used, it will grant all capabilities to the container. This was not recommended for production use because it's really unsafe; it allowed Docker all privileges as a process under the direct host.
With Docker 1.2, two flags have been introduced with docker run
:
--cap-add
--cap-drop
These two flags provide fine-grain control to a container, for example, as follows:
Change the status of the Docker container's interface:
docker run --cap-add=NET_ADMIN busybox sh -c "ip link eth0 down"
Prevent any chown in the Docker container:
docker run --cap-drop=CHOWN ...
Allow all capabilities except
mknod
:docker run --cap-add=ALL --cap-drop=MKNOD ...
Docker starts containers with a restricted set of capabilities by default. Capabilities convert a binary mode of root and non-root...