Linux Capabilities Required By Containerised Contemporary Network Applications

A list of applications and the Linux capabilities they require to run in Docker

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications.

  • HAProxy : None
  • Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST
  • Keepalived : NET_ADMIN and NET_BROADCAST
  • Mounting NFS : SYS_ADMIN
  • Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH

Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command. The name including CAP_ is the Linux OS capability.

Here’s how you’d apply these capabilities in a docker-compose.yml file:

cap_add:
  - NET_ADMIN
  - SYS_ADMIN

This is instead of specifying root privileges:

privileged: true

You may also need to use this to prevent use of seccomp:

  security_opt:
  - seccomp:unconfined

Here’s how you’d specify them when using the docker run command:

docker run --cap-add=SYS_ADMIN --cap-add=NET_ADMIN ...

Instead of:

docker run --privileged=true

You may also need to use this to prevent use of seccomp:

--security-opt seccomp=unconfined