Skip to content

Commit

Permalink
Revert "Rework default list of capabilities to minimal"
Browse files Browse the repository at this point in the history 
This reverts commit f39f2a3.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI.  While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.

Let's revert the commit to unblock ongoing work.  For the next
iteration, Podman CI must be green before merging.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
  • Loading branch information
@vrothberg
vrothberg committed Nov 25, 2022
1 parent e120413 commit 45b76f1
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 18 deletions.
10 changes: 4 additions & 6 deletions docs/containers.conf.5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,24 +88,22 @@ List of default capabilities for containers.
The default list is:
```
default_capabilities = [
"AUDIT_WRITE",
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"MKNOD",
"NET_BIND_SERVICE",
"SETFCAP",
"NET_RAW",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
]
```

Note, by default container engines using containers.conf, run with less
capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD",
"NET_RAW", "CHROOT". If you need to add one of these capabilities for a
particular container, you can use the --cap-add option or edit your system's containers.conf.

**default_sysctls**=[]

A list of sysctls to be set in containers by default,
Expand Down
25 changes: 13 additions & 12 deletions pkg/config/containers.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,18 +52,19 @@
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
#default_capabilities = [
# "CHOWN",
# "DAC_OVERRIDE",
# "FOWNER",
# "FSETID",
# "KILL",
# "NET_BIND_SERVICE",
# "SETFCAP",
# "SETGID",
# "SETPCAP",
# "SETUID",
#]
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT"
]

# A list of sysctls to be set in containers by default,
# specified as "name=value",
Expand Down
4 changes: 4 additions & 0 deletions pkg/config/default.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,16 +76,20 @@ var (
DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"}
// DefaultCapabilities is the default for the default_capabilities option in the containers.conf file.
DefaultCapabilities = []string{
"CAP_AUDIT_WRITE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_MKNOD",
"CAP_NET_BIND_SERVICE",
"CAP_NET_RAW",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT",
}

// Search these locations in which CNIPlugins can be installed.
Expand Down

0 comments on commit 45b76f1

Please sign in to comment.