Docker容器的capability

linux capability是啥？

资料来源：

http://man7.org/linux/man-pages/man7/capabilities.7.html

“ For the purpose of performing permission checks, traditional UNIX

       implementations distinguish two categories of processes: privileged

       processes (whose effective user ID is 0, referred to as superuser or

       root), and unprivileged processes (whose effective UID is nonzero).

       Privileged processes bypass all kernel permission checks, while

       unprivileged processes are subject to full permission checking based

       on the process's credentials (usually: effective UID, effective GID,

       and supplementary group list).

 

       Starting with kernel 2.2, Linux divides the privileges traditionally

       associated with superuser into distinct units, known as capabilities,

       which can be independently enabled and disabled.  Capabilities are a

       per-thread attribute.

”

原来linux系统为了将系统权限作了分类，虽然是root用户，如果没有赋予相关的权限也是白搭。

 

下面命令列出了系统支持的capability：

[root@centos /]# capsh --print

Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36+ep

Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36

Securebits: 00/0x0/1'b0

 secure-noroot: no (unlocked)

 secure-no-suid-fixup: no (unlocked)

 secure-keep-caps: no (unlocked)

uid=0(root)

gid=0(root)

groups=0(root)

 

下面来看看docker-containerd这个进程所有的capability：

cat /proc/`pidof docker-containerd`/status | grep Cap

CapInh: 0000000000000000

CapPrm: 0000001fffffffff

CapEff: 0000001fffffffff

CapBnd: 0000001fffffffff

CapAmb: 0000000000000000

 

capsh --decode=0x1fffffffff    // 解码

0x0000001fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36

对比发现，与系统支持的相符合。（getpcaps `pidof docker-containerd`可以得到同样的输出）

 

下面来看看docker容器的capability：

[root@centos opt]#docker run -ti centos /bin/bash

[root@f45f03e236ec /]# capsh --print

Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip

Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

Securebits: 00/0x0/1'b0

 secure-noroot: no (unlocked)

 secure-no-suid-fixup: no (unlocked)

 secure-keep-caps: no (unlocked)

uid=0(root)

gid=0(root)

groups=

对比发现，容器少了大致下面的capability：

cap_net_admin,cap_net_broadcast,cap_sys_module,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_syslog

 

因此，容器用户不允许执行ip、time这些命令。

 

 

vendor/github.com/containerd/containerd/oci/spec_unix.go，这个文件定义了缺省的capability。

func defaultCaps() []string {

        return []string{

                "CAP_CHOWN",

                "CAP_DAC_OVERRIDE",

                "CAP_FSETID",

                "CAP_FOWNER",

                "CAP_MKNOD",

                "CAP_NET_RAW",

                "CAP_SETGID",

                "CAP_SETUID",

                "CAP_SETFCAP",

                "CAP_SETPCAP",

                "CAP_NET_BIND_SERVICE",

                "CAP_SYS_CHROOT",

                "CAP_KILL",

                "CAP_AUDIT_WRITE",

        }

}

 

下面的命令可以动态的改动容器所有的capability：

[root@centos opt]#docker run --cap-drop all --cap-add net_admin -ti centos /bin/bash

[root@1db73e0aaf38 /]# capsh --print

Current: = cap_net_admin+eip   // 只具备net_admin

Bounding set =cap_net_admin

Securebits: 00/0x0/1'b0

 secure-noroot: no (unlocked)

 secure-no-suid-fixup: no (unlocked)

 secure-keep-caps: no (unlocked)

uid=0(root)

gid=0(root)

groups=