Adding Capabilities to a Red Hat Container
A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?
While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.
One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a –cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.
The most dangerous capability: SYS_ADMIN
Whenever I present on container security I explain that the power of root was originally broken into 32 separate capabilities. These capabilities were originally fairly fine grained. But two things conspired to make some of them become very powerful.
Read the entire article here, Adding Capabilities to a Container – Red Hat Enterprise Linux Blog
via the fine folks at Red Hat.