Skip to content

Commit

Permalink
Merge pull request #1252 from rhatdan/caps
Browse files Browse the repository at this point in the history 
Rework default list of capabilities to minimal
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Dec 6, 2022
2 parents c32cc95 + a3328f2 commit def2a56
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 21 deletions.
10 changes: 6 additions & 4 deletions docs/containers.conf.5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,22 +88,24 @@ List of default capabilities for containers.
The default list is:
```
default_capabilities = [
"AUDIT_WRITE",
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"MKNOD",
"NET_BIND_SERVICE",
"NET_RAW",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
]
```

Note, by default container engines using containers.conf, run with less
capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD",
"NET_RAW", "CHROOT". If you need to add one of these capabilities for a
particular container, you can use the --cap-add option or edit your system's containers.conf.

**default_sysctls**=[]

A list of sysctls to be set in containers by default,
Expand Down
25 changes: 12 additions & 13 deletions pkg/config/containers.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,19 +52,18 @@
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT"
]
#default_capabilities = [
# "CHOWN",
# "DAC_OVERRIDE",
# "FOWNER",
# "FSETID",
# "KILL",
# "NET_BIND_SERVICE",
# "SETFCAP",
# "SETGID",
# "SETPCAP",
# "SETUID",
#]

# A list of sysctls to be set in containers by default,
# specified as "name=value",
Expand Down
4 changes: 0 additions & 4 deletions pkg/config/default.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,16 @@ var (
DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"}
// DefaultCapabilities is the default for the default_capabilities option in the containers.conf file.
DefaultCapabilities = []string{
"CAP_AUDIT_WRITE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_MKNOD",
"CAP_NET_BIND_SERVICE",
"CAP_NET_RAW",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT",
}

// Search these locations in which CNIPlugins can be installed.
Expand Down

0 comments on commit def2a56

Please sign in to comment.