重庆分公司,新征程启航
为企业提供网站建设、域名注册、服务器等服务
这篇文章主要讲解了“怎么给容器添加linux Capabilities”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“怎么给容器添加linux Capabilities”吧!
创新互联建站是一家专注于成都做网站、成都网站设计与策划设计,辽中网站建设哪家好?创新互联建站做网站,专注于网站建设十年,网设计领域的专业建站公司;建站业务涵盖:辽中等地区。辽中做网站价格咨询:13518219792
在docker run命令中,我们可以通过--cap-add
和--cap-drop
来给容器添加linux Capabilities。下面表格中的列出的Capabilities是docker默认给容器添加的,用户可以通过--cap-drop
去除其中一个或者多个。
Docker’s capabilities | Linux capabilities | Capability Description |
---|---|---|
SETPCAP | CAP_SETPCAP | Modify process capabilities. |
MKNOD | CAP_MKNOD | Create special files using mknod(2). |
AUDIT_WRITE | CAP_AUDIT_WRITE | Write records to kernel auditing log. |
CHOWN | CAP_CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
NET_RAW | CAP_NET_RAW | Use RAW and PACKET sockets. |
DAC_OVERRIDE | CAP_DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
FOWNER | CAP_FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
FSETID | CAP_FSETID | Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. |
KILL | CAP_KILL | Bypass permission checks for sending signals. |
SETGID | CAP_SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
SETUID | CAP_SETUID | Make arbitrary manipulations of process UIDs. |
NET_BIND_SERVICE | CAP_NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
SYS_CHROOT | CAP_SYS_CHROOT | Use chroot(2), change root directory. |
SETFCAP | CAP_SETFCAP | Set file capabilities. |
下面表格中列出的Capabilities是docker默认删除的Capabilities,用户可以通过--cap-add
添加其中一个或者多个。
Docker’s capabilities | Linux capabilities | Capability Description |
---|---|---|
SYS_MODULE | CAP_SYS_MODULE | Load and unload kernel modules. |
SYS_RAWIO | CAP_SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
SYS_PACCT | CAP_SYS_PACCT | Use acct(2), switch process accounting on or off. |
SYS_ADMIN | CAP_SYS_ADMIN | Perform a range of system administration operations. |
SYS_NICE | CAP_SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
SYS_RESOURCE | CAP_SYS_RESOURCE | Override resource Limits. |
SYS_TIME | CAP_SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
SYS_TTY_CONFIG | CAP_SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
AUDIT_CONTROL | CAP_AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
MAC_OVERRIDE | CAP_MAC_OVERRIDE | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
MAC_ADMIN | CAP_MAC_ADMIN | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
NET_ADMIN | CAP_NET_ADMIN | Perform various network-related operations. |
SYSLOG | CAP_SYSLOG | Perform privileged syslog(2) operations. |
DAC_READ_SEARCH | CAP_DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
LINUX_IMMUTABLE | CAP_LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
NET_BROADCAST | CAP_NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
IPC_LOCK | CAP_IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
IPC_OWNER | CAP_IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
SYS_PTRACE | CAP_SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
SYS_BOOT | CAP_SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
LEASE | CAP_LEASE | Establish leases on arbitrary files (see fcntl(2)). |
WAKE_ALARM | CAP_WAKE_ALARM | Trigger something that will wake up the system. |
BLOCK_SUSPEND | CAP_BLOCK_SUSPEND | Employ features that can block system suspend. |
比如,我们可以通过给给容器add NET_ADMIN Capability,使得我们可以对network interface进行modify,对应的docker run命令如下:
$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy
在Kubernetes对Pod的定义中,用户可以add/drop Capabilities在Pod.spec.containers.sercurityContext.capabilities中添加要add的Capabilities list和drop的Capabilities list。
比如,我要添加NET_ADMIN Capability,删除KILL Capability,则对应的Pod定义如下:
apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: - name: friendly-container image: "alpine:3.4" command: ["/bin/echo", "hello", "world"] securityContext: capabilities: add: - NET_ADMIN drop: - KILL
感谢各位的阅读,以上就是“怎么给容器添加linux Capabilities”的内容了,经过本文的学习后,相信大家对怎么给容器添加linux Capabilities这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是创新互联,小编将为大家推送更多相关知识点的文章,欢迎关注!