docker 的较新版本有 --cap-add,可以添加哪些 CAP?
Newer versions of docker have --cap-add, what CAP's can be added?
较新版本的 docker(我认为是 1.2 及更高版本)具有 --cap-add 功能。
这提供了对特性功能的细粒度控制,而无需使用 --privileged=true 打开所有内容。
我用谷歌搜索过,但找不到功能列表及其含义。有人可以帮忙吗?
真有趣...我在谷歌上搜索了一个小时,但找不到答案。我在这里提问,2秒就找到了。
http://man7.org/linux/man-pages/man7/capabilities.7.html
将这些传递给 docker 时,您需要删除名称中的 CAP_。
即允许安装在 docker 容器内
docker run --cap-add SYS_ADMIN ...
以下可能有用:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
以下摘自上页(2022 年 2 月 3 日):
默认情况下,Docker 有一个保留的默认功能列表。
以下 table 列出了默认允许并可以删除的 Linux 功能选项。
Capability Key
Capability Description
AUDIT_WRITE
Write records to kernel auditing log.
CHOWN
Make arbitrary changes to file UIDs and GIDs (see chown(2)).
DAC_OVERRIDE
Bypass file read, write, and execute permission checks.
FOWNER
Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID
Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL
Bypass permission checks for sending signals.
MKNOD
Create special files using mknod(2).
NET_BIND_SERVICE
Bind a socket to internet domain privileged ports (port numbers less than 1024).
NET_RAW
Use RAW and PACKET sockets.
SETFCAP
Set file capabilities.
SETGID
Make arbitrary manipulations of process GIDs and supplementary GID list.
SETPCAP
Modify process capabilities.
SETUID
Make arbitrary manipulations of process UIDs.
SYS_CHROOT
Use chroot(2), change root directory.
下一个 table 显示了默认情况下未授予但可以添加的功能。
Capability Key
Capability Description
AUDIT_CONTROL
Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
AUDIT_READ
Allow reading the audit log via multicast netlink socket.
BLOCK_SUSPEND
Allow preventing system suspends.
BPF
Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
CHECKPOINT_RESTORE
Allow checkpoint/restore related operations. Introduced in kernel 5.9.
DAC_READ_SEARCH
Bypass file read permission checks and directory read and execute permission checks.
IPC_LOCK
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
IPC_OWNER
Bypass permission checks for operations on System V IPC objects.
LEASE
Establish leases on arbitrary files (see fcntl(2)).
LINUX_IMMUTABLE
Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.
MAC_ADMIN
Allow MAC configuration or state changes. Implemented for the Smack LSM.
MAC_OVERRIDE
Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
NET_ADMIN
Perform various network-related operations.
NET_BROADCAST
Make socket broadcasts, and listen to multicasts.
PERFMON
Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems
SYS_ADMIN
Perform a range of system administration operations.
SYS_BOOT
Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
SYS_MODULE
Load and unload kernel modules.
SYS_NICE
Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
SYS_PACCT
Use acct(2), switch process accounting on or off.
SYS_PTRACE
Trace arbitrary processes using ptrace(2).
SYS_RAWIO
Perform I/O port operations (iopl(2) and ioperm(2)).
SYS_RESOURCE
Override resource Limits.
SYS_TIME
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.
SYS_TTY_CONFIG
Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.
SYSLOG
Perform privileged syslog(2) operations.
WAKE_ALARM
Trigger something that will wake up the system.
较新版本的 docker(我认为是 1.2 及更高版本)具有 --cap-add 功能。
这提供了对特性功能的细粒度控制,而无需使用 --privileged=true 打开所有内容。
我用谷歌搜索过,但找不到功能列表及其含义。有人可以帮忙吗?
真有趣...我在谷歌上搜索了一个小时,但找不到答案。我在这里提问,2秒就找到了。
http://man7.org/linux/man-pages/man7/capabilities.7.html
将这些传递给 docker 时,您需要删除名称中的 CAP_。
即允许安装在 docker 容器内
docker run --cap-add SYS_ADMIN ...
以下可能有用:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
以下摘自上页(2022 年 2 月 3 日):
默认情况下,Docker 有一个保留的默认功能列表。 以下 table 列出了默认允许并可以删除的 Linux 功能选项。
| Capability Key | Capability Description |
|---|---|
| AUDIT_WRITE | Write records to kernel auditing log. |
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
| FSETID | Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. |
| KILL | Bypass permission checks for sending signals. |
| MKNOD | Create special files using mknod(2). |
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
| NET_RAW | Use RAW and PACKET sockets. |
| SETFCAP | Set file capabilities. |
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
| SETPCAP | Modify process capabilities. |
| SETUID | Make arbitrary manipulations of process UIDs. |
| SYS_CHROOT | Use chroot(2), change root directory. |
下一个 table 显示了默认情况下未授予但可以添加的功能。
| Capability Key | Capability Description |
|---|---|
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
| AUDIT_READ | Allow reading the audit log via multicast netlink socket. |
| BLOCK_SUSPEND | Allow preventing system suspends. |
| BPF | Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. |
| CHECKPOINT_RESTORE | Allow checkpoint/restore related operations. Introduced in kernel 5.9. |
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
| LEASE | Establish leases on arbitrary files (see fcntl(2)). |
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
| MAC_ADMIN | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
| NET_ADMIN | Perform various network-related operations. |
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
| PERFMON | Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems |
| SYS_ADMIN | Perform a range of system administration operations. |
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
| SYS_MODULE | Load and unload kernel modules. |
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
| SYS_PACCT | Use acct(2), switch process accounting on or off. |
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
| SYS_RESOURCE | Override resource Limits. |
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
| SYSLOG | Perform privileged syslog(2) operations. |
| WAKE_ALARM | Trigger something that will wake up the system. |