Secure Your Containers with this One Weird Trick (RHEL Blog)

Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. "Let's look at the default list of capabilities available to privileged processes in a docker container:chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap.In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don't." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application.