Linux Capabilities Required By Containerised Contemporary Network Applications

November 21, 2015

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications. HAProxy : None Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST Keepalived : NET_ADMIN and NET_BROADCAST Mounting NFS : SYS_ADMIN Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command. ... Read more

© 2015 - 2016 Some Guy. All rights reserved.