Contact About
Home > Software > How to Use cap_add and cap_drop in Docker Compose

How to Use cap_add and cap_drop in Docker Compose

Anastasios Antoniadis

Software

Learn how to effectively use cap_add and cap_drop in Docker Compose to fine-tune container capabilities, enhancing security and control in your Dockerized environments with our insightful guide.

Docker (1)
Share on Pinterest Share on LinkedIn

When working with Docker containers, it is crucial to strike a balance between security and functionality. While these containers run in isolated environments by design, certain applications may require additional privileges to perform their tasks effectively. On the other hand, limiting a container’s capabilities to only what’s strictly necessary can greatly improve its security. To fine-tune these capabilities within your containers, Docker offers two important properties: “security-opt” and “cap-add“. In this article, you’ll learn how to use these properties within a Docker Compose context, with examples that will help you enhance security and functionality in your containers.

Understanding Linux Capabilities

Before we dive into the specifics of cap_add and cap_drop, it’s crucial to understand the concept of Linux capabilities. Traditionally, Linux systems differentiate between two types of processes: privileged (running as root) and unprivileged. This binary approach can be too broad for certain applications, leading to unnecessary exposure.

Linux capabilities divide the privileges of the root user into distinct units, which can be independently enabled or disabled for processes. Docker leverages this mechanism to control the privileges of a container’s root user, enhancing security without sacrificing functionality.

Docker Compose and Linux Capabilities

Docker Compose, a tool for defining and running multi-container Docker applications, allows you to specify which capabilities to add or drop from your containers using the cap_add and cap_drop properties in your docker-compose.yml file.

Adding Capabilities (cap_add)

cap_add allows you to grant additional Linux capabilities to your container beyond the default set provided by Docker. This is particularly useful for applications that require specific privileges to operate correctly.

Example: Allowing Container to Use Ping

Many Linux distributions restrict ICMP (ping) to privileged users. To enable a container to send ICMP packets (ping), you can add the NET_RAW capability.

version: '3.8'
services:
  myservice:
    image: myimage
    cap_add:
      - NET_RAW

Dropping Capabilities (cap_drop)

Conversely, cap_drop is used to remove certain Linux capabilities from a container. Dropping unnecessary capabilities can help enforce the principle of least privilege, reducing the container’s attack surface.

Example: Dropping the NET_ADMIN Capability

For a container that doesn’t require network administration privileges, you can drop the NET_ADMIN capability to enhance security.

version: '3.8'
services:
  myservice:
    image: myimage
    cap_drop:
      - NET_ADMIN

Practical Use Case: Securing a Web Server

Let’s consider a practical example where you’re deploying a web server using Docker Compose. For enhanced security, you drop all capabilities and only add those necessary for the webserver to function.

version: '3.8'
services:
  webserver:
    image: nginx:latest
    ports:
      - "80:80"
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - NET_BIND_SERVICE

In this configuration:

  • cap_drop: ALL removes all capabilities from the container.
  • cap_add then selectively grants the capabilities necessary for the web server:
    • CHOWN, SETGID, and SETUID allow the webserver to change file ownership and manipulate group and user IDs, which is useful for serving files with correct permissions.
    • NET_BIND_SERVICE allows the web server to bind to well-known ports (those below 1024).

Conclusion

Understanding and utilizing cap_add and cap_drop within Docker Compose can significantly enhance the security and functionality of your containerized applications. By carefully managing the capabilities of your containers, you align with the principle of least privilege, ensuring that your containers have only the permissions they need to operate. This practice secures your applications and adheres to best practices in container deployment and management. Whether running a simple web server or a complex microservices architecture, mastering container capabilities is a crucial step toward secure and efficient Docker deployments.

Anastasios Antoniadis
Follow me
Latest posts by Anastasios Antoniadis (see all)

Related posts:

  1. How to Use the “docker build” Command
  2. How to Fix the “Docker Compose Did Not Find Expected Key” Error
  3. How to Fix “Docker Compose Networks Must Be a Mapping” Error
  4. How to Fix the “No Configuration File Provided” Error in Docker Compose
  5. How to Manage Memory Lock Ulimits in Docker Compose
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

BORDERPOLAr

Sepapaja 6, Tallinn, 15551, Harju, Estonia

© 2024 CYVOX OÜ

PRIVACY POLICY terms of service
0
Would love your thoughts, please comment.x
()
x