共计 3931 个字符，预计需要花费 10 分钟才能阅读完成。

这篇文章主要讲解了“怎么给容器添加 linux Capabilities”，文中的讲解内容简单清晰，易于学习与理解，下面请大家跟着丸趣 TV 小编的思路慢慢深入，一起来研究和学习“怎么给容器添加 linux Capabilities”吧！

Docker Container Capabilities

在 docker run 命令中，我们可以通过 –cap-add 和 –cap-drop 来给容器添加 linux Capabilities。下面表格中的列出的 Capabilities 是 docker 默认给容器添加的，用户可以通过 –cap-drop 去除其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability DescriptionSETPCAPCAP_SETPCAPModify process capabilities.MKNODCAP_MKNODCreate special files using mknod(2).AUDIT_WRITECAP_AUDIT_WRITEWrite records to kernel auditing log.CHOWNCAP_CHOWNMake arbitrary changes to file UIDs and GIDs (see chown(2)).NET_RAWCAP_NET_RAWUse RAW and PACKET sockets.DAC_OVERRIDECAP_DAC_OVERRIDEBypass file read, write, and execute permission checks.FOWNERCAP_FOWNERBypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.FSETIDCAP_FSETIDDon’t clear set-user-ID and set-group-ID permission bits when a file is modified.KILLCAP_KILLBypass permission checks for sending signals.SETGIDCAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list.SETUIDCAP_SETUIDMake arbitrary manipulations of process UIDs.NET_BIND_SERVICECAP_NET_BIND_SERVICEBind a socket to internet domain privileged ports (port numbers less than 1024).SYS_CHROOTCAP_SYS_CHROOTUse chroot(2), change root directory.SETFCAPCAP_SETFCAPSet file capabilities.

下面表格中列出的 Capabilities 是 docker 默认删除的 Capabilities，用户可以通过 –cap-add 添加其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability DescriptionSYS_MODULECAP_SYS_MODULELoad and unload kernel modules.SYS_RAWIOCAP_SYS_RAWIOPerform I/O port operations (iopl(2) and ioperm(2)).SYS_PACCTCAP_SYS_PACCTUse acct(2), switch process accounting on or off.SYS_ADMINCAP_SYS_ADMINPerform a range of system administration operations.SYS_NICECAP_SYS_NICERaise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.SYS_RESOURCECAP_SYS_RESOURCEOverride resource Limits.SYS_TIMECAP_SYS_TIMESet system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.SYS_TTY_CONFIGCAP_SYS_TTY_CONFIGUse vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.AUDIT_CONTROLCAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.MAC_OVERRIDECAP_MAC_OVERRIDEAllow MAC configuration or state changes. Implemented for the Smack LSM.MAC_ADMINCAP_MAC_ADMINOverride Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).NET_ADMINCAP_NET_ADMINPerform various network-related operations.SYSLOGCAP_SYSLOGPerform privileged syslog(2) operations.DAC_READ_SEARCHCAP_DAC_READ_SEARCHBypass file read permission checks and directory read and execute permission checks.LINUX_IMMUTABLECAP_LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.NET_BROADCASTCAP_NET_BROADCASTMake socket broadcasts, and listen to multicasts.IPC_LOCKCAP_IPC_LOCKLock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).IPC_OWNERCAP_IPC_OWNERBypass permission checks for operations on System V IPC objects.SYS_PTRACECAP_SYS_PTRACETrace arbitrary processes using ptrace(2).SYS_BOOTCAP_SYS_BOOTUse reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.LEASECAP_LEASEEstablish leases on arbitrary files (see fcntl(2)).WAKE_ALARMCAP_WAKE_ALARMTrigger something that will wake up the system.BLOCK_SUSPENDCAP_BLOCK_SUSPENDEmploy features that can block system suspend.

比如，我们可以通过给给容器 add NET_ADMIN Capability，使得我们可以对 network interface 进行 modify，对应的 docker run 命令如下：

$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy

Kubernetes SecurityContext

在 Kubernetes 对 Pod 的定义中，用户可以 add/drop Capabilities 在 Pod.spec.containers.sercurityContext.capabilities 中添加要 add 的 Capabilities list 和 drop 的 Capabilities list。

比如，我要添加 NET_ADMIN Capability，删除 KILL Capability，则对应的 Pod 定义如下：

apiVersion: v1
kind: Pod
metadata:
 name: hello-world
spec:
 containers:
 - name: friendly-container
 image:  alpine:3.4 
 command: [/bin/echo ,  hello ,  world]
 securityContext:
 capabilities:
 add:
 - NET_ADMIN
 drop:
 - KILL

感谢各位的阅读，以上就是“怎么给容器添加 linux Capabilities”的内容了，经过本文的学习后，相信大家对怎么给容器添加 linux Capabilities 这一问题有了更深刻的体会，具体使用情况还需要大家实践验证。这里是丸趣 TV，丸趣 TV 小编将为大家推送更多相关知识点的文章，欢迎关注！