Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Docker-Compose: order of cap_drop and cap_add?

Tags:

docker

docker-compose

linux-capabilities

The docker compose file reference describes the cap_add and cap_drop elements in a rather terse fashion:

Add or drop container capabilities. See man 7 capabilities for a full list.

Do these elements have an order, that is, add first, then drop? Or does the order matter (is this supported in YAML at all for dictionaries?)?

What happens when one of cap_add or cap_drop contains ALL?

I'm aware of the Docker Linux default set of capabilities, defined in https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L4.

like image 869
TheDiveO Avatar asked Jul 29 '20 21:07

TheDiveO

People also ask

Does Docker compose run in order?

Compose always starts and stops containers in dependency order, where dependencies are determined by depends_on , links , volumes_from , and network_mode: "service:..." .

What is Cap_add Docker compose?

cap_add contains ALL : return all capabilities minus the capabilities listed in cap_drop (ignores ALL in the latter). cap_drop contains ALL : return the capabilities from cap_add only, ignoring any Docker default capabilities.

What is the format of Docker compose file?

The Compose file is a YAML file defining services, networks and volumes. The default path for a Compose file is ./docker-compose.yml . Tip: You can use either a .yml or .yaml extension for this file. They both work.

Video Answer

1 Answers

After diving around the moby source code, I finally located TweakCapabilities(): it takes the two sets of capabilities to add and to drop, enforcing the following scheme below; thus works in docker-compose.yaml where YAML doesn't define an order for the cap_add and cap_drop keys. The first matching item below will terminate the list.

  • container is privileged: true: ignore cap_add and cap_drop completely, return all available capabilities instead.
  • both cap_add and cap_drop are empty: return the default Docker set of capabilities.
  • cap_add contains ALL: return all capabilities minus the capabilities listed in cap_drop (ignores ALL in the latter).
  • cap_drop contains ALL: return the capabilities from cap_add only, ignoring any Docker default capabilities.
  • default: first drop all capabilites from the default set listed in cap_drop, then add the capabilities in cap_add, and finally return the result.

If I'm not mistaken this can be also represented in a more accessible manner as follows...

cap_add/cap_drop

privileged: true
ALL capabilities: ignores cap_add and cap_drop (boss mode)
no cap_add cap_add: ['CAP_A'] cap_add: ['ALL']
no cap_drop default capabilities default + CAP_A ALL capabilities
cap_drop: ['CAP_Z'] default -CAP_Z default -CAP_Z +CAP_A ALL -CAP_Z
cap_drop: ['ALL'] NO capabilities CAP_A ALL capabilities

In the end, there's only the following two "deterministic" combinations that always include cap_drop: ALL and that follow the line of least privilege:

cap-drop

no cap_add cap_add: ['CAP_A']
 
 
cap_drop: ['ALL'] NO capabilities CAP_A
like image 128
TheDiveO Avatar answered Oct 22 '22 07:10

TheDiveO
Sign in to Comment

Related questions

Install / Configure SQL Server PDO driver for PHP docker image
Kubernetes: How to expand env variables from configmap
what does the docker daemon option --selinux-enabled do
How to config nginx for Vue-router on Docker
How to add php-redis for a dockerfile of laravel to kubernetes?
Docker "unsupported locale setting" when running Python container
AWS ECS unable to place a task because no container instance met all of its requirements
Docker login into kube cluster
ImportError: No module named 'indexer' Flask, Spellchecker
npm can't find package.json when running docker container with compose
Spring Docker container cannot access Postgres Docker container
How to source an entry point script with Docker?
How to write docker cron logs to stdout/stderr
2 containers using the same port in Kubernetes pod
How to set no_log: true for molecule internal playbook tasks?
Docker Ubuntu 18.04 unable to install msodbcsql17 SQL Server ODBC Driver 17
Can a .NET Core application on Windows trap a SIGTERM event?
How to put a Svelte app in a docker container?
How to use docker compose with dokku?
Stopping Python container is slow - SIGTERM not passed to python process?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!