Hi
Ansible’s docker_container module does not implement cap_drop and cap_add feature to fully control access to kernel capabilities.
Instead it implements the “capabilities” module for adding capabilities to a container:
https://docs.ansible.com/ansible/2.4/docker_container_module.html#docker-container
The problem with this is that the “capabilities” parameter only supports adding capabilties, not removing them.
Given this, how is it possible to restrict kernel capabilities beyond the default ?
Hi,
Ansible's docker_container module does not implement cap_drop and
cap_add feature to fully control access to kernel capabilities.Instead it implements the "capabilities" module for _adding_
capabilities to a container:https://docs.ansible.com/ansible/2.4/docker_container_module.html#docker-container
The problem with this is that the "capabilities" parameter only
supports _adding_ capabilties, not removing them.Given this, how is it possible to restrict kernel capabilities beyond
the default ?
well, first, you can use the command module
(https://docs.ansible.com/ansible/latest/modules/command_module.html)
to use the docker executable to remove the capabilities "by hand".
If you want to have support in the docker_container module, I'd suggest
creating an issue for it (and first searching whether someone already
opened such an issue), or even provide code via a PR which adds a
'remove_capabilities' paramater (or however you want to call it) to
docker_container.
In fact, it looks like someone already created an issue for this
yesterday: https://github.com/ansible/ansible/issues/43293
Cheers,
Felix
Hi Felix