Docker-Compose: order of cap_drop and cap_add?
The docker compose file reference describes the cap_add and cap_drop elements in a rather terse fashion:
Add or drop container capabilities. See man 7 capabilities for a full list.
Do these elements have an order, that is, add first, then drop? Or does the order matter (is this supported in YAML at all for dictionaries?)?
What happens when one of cap_add or cap_drop contains ALL?
I'm aware of the Docker Linux default set of capabilities, defined in https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L4.
After diving around the moby source code, I finally located TweakCapabilities(): it takes the two sets of capabilities to add and to drop, enforcing the following scheme below; thus works in docker-compose.yaml where YAML doesn't define an order for the cap_add and cap_drop keys. The first matching item below will terminate the list.
- container is
privileged: true: ignorecap_addandcap_dropcompletely, return all available capabilities instead. - both
cap_addandcap_dropare empty: return the default Docker set of capabilities. cap_addcontainsALL: return all capabilities minus the capabilities listed incap_drop(ignoresALLin the latter).cap_dropcontainsALL: return the capabilities fromcap_addonly, ignoring any Docker default capabilities.- default: first drop all capabilites from the default set listed in
cap_drop, then add the capabilities incap_add, and finally return the result.
If I'm not mistaken this can be also represented in a more accessible manner as follows...
privileged: true |
|---|
ALL capabilities: ignores cap_add and cap_drop (boss mode) |
no cap_add |
cap_add: ['CAP_A'] |
cap_add: ['ALL'] |
|
|---|---|---|---|
no cap_drop |
default capabilities | default + CAP_A |
ALL capabilities |
cap_drop: ['CAP_Z'] |
default -CAP_Z |
default -CAP_Z +CAP_A |
ALL -CAP_Z |
cap_drop: ['ALL'] |
NO capabilities | CAP_A |
ALL capabilities |
In the end, there's only the following two "deterministic" combinations that always include cap_drop: ALL and that follow the line of least privilege:
no cap_add |
cap_add: ['CAP_A'] |
||
|---|---|---|---|
cap_drop: ['ALL'] |
NO capabilities | CAP_A |
- Can't find io.jsonwebtoken.impl.DefaultJwtBuilder when starting project in a docker container
- Docker is not running when trying to curl laravel
- How to display the docker current configuration?
- Docker-compose not reading logging config in /etc/docker/daemon.json
- AWS ECR basic scanning - different outcomes from different accounts
- revive an old php 5.6 website with docker
- How to wait for MSSQL in Docker Compose?
- How to containerize a Blazor .NET 8 app using auto RenderMode and therefore has 2 projects with Docker?
- Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? inside a Dockerfile
- How to cache the RUN npm install instruction when docker build a Dockerfile
- Docker-compose with .NET Core unreachable
- How to pass GitLab CI file variable to Dockerfile and docker container?
- Accessing AWS ElastiCache (Redis CLUSTER mode) from different AWS accounts via AWS PrivateLink
- bitnami postgresql replaces postgresql.conf after restarting docker
- Multi-Platform Docker Images Interfering With Each Other During Build
- How to run a docker container with specific GPUs using Docker SDK for Python
- how to replace npm with pnpm for docker compose for VS Code Dev Containers
- Why is my Docker container, inside GitHub workflow, not working as it does in a standard context (Docker CLI)?
- How do I run a docker instance from a DockerFile?
- empty env variable lunching os.Getenv with docker run, populated with docker compose
- ERR_SSL_PROTOCOL_ERROR when the frontend accesses the backend
- Testcontainers, try to load from local registry before build a Dockerfile
- Simple commands are not working during pipeline execution of a docker image with gitlab-ci.yml
- Mounts denied. The paths ... are not shared from OS X and are not known to Docker
- Can you use the current project_name in a docker compose file?
- How to disable the oom killer in linux?
- Keep Redis data alive between docker-compose down and up in Docker container
- Docker : exec /usr/bin/sh: exec format error
- Add private nuget source to docker build with GitHub secrets
- Docker is in volume in use, but there aren't any Docker containers