containers.conf man page lists wrong capabilities

[vrothberg]

Noticed during a presentation yesterday, so I want to create the issue before I forget about it.

man containers.conf does not list the same capabilities as are actually used (e.g., mknod is listed in the man page but not used anymore). I did not take a look; maybe the man pages diverged from the code?

Cc: @rhatdan

[rhatdan]

Currently the default capabilities in the Red Hat Distros are overridden in containers.conf

default_capabilities = [
  "CHOWN",
  "DAC_OVERRIDE",
  "FOWNER",
  "FSETID",
  "KILL",
  "NET_BIND_SERVICE",
  "SETFCAP",
  "SETGID",
  "SETPCAP",
  "SETUID",
  "SYS_CHROOT"
]

But in containers/common/pkg/default.go they match Docker

	DefaultCapabilities = []string{
		"CAP_AUDIT_WRITE",
		"CAP_CHOWN",
		"CAP_DAC_OVERRIDE",
		"CAP_FOWNER",
		"CAP_FSETID",
		"CAP_KILL",
		"CAP_MKNOD",
		"CAP_NET_BIND_SERVICE",
		"CAP_NET_RAW",
		"CAP_SETFCAP",
		"CAP_SETGID",
		"CAP_SETPCAP",
		"CAP_SETUID",
		"CAP_SYS_CHROOT",
	}

Since we have released for several os versions like this we should probably change containers/common's default going forward. Then we can make the man page match.

[vrothberg]

That explains it. Thanks, @rhatdan!

[rhatdan]

What do you think about changing the defaults in common? And then distros that want the Docker defaults can ship their own containers.conf.

[vrothberg]

I am very supportive of the idea. Given we shipped it in Fedora and RHEL for a long while now, we can be confident to not break many users if at all.

[vrothberg]

If we do it, let's drop a message in the Podman changelog. Maybe in the commit vendoring the changes?