Page MenuHomeVyOS Platform
Create Task
Maniphest T3676

Container option to add Linux capabilities
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

There are some containers that need some additional kernel capabilities which would normally be added via the --cap-add runtime option.

My proposal is to have a configuration option that looks like this:

set container name XYZ cap-add NET_ADMIN

The value of cap-add would be a list allowing more than one cap to be added.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTViacheslavT3676 Container option to add Linux capabilities
 ResolvedFEATURE REQUESTViacheslavT3916 Add additional Linux capabilities to container configuration
 InvalidFEATURE REQUESTNoneT3997 Add CAP_NET_RAW capability

Event Timeline

artooro created this task.Jul 11 2021, 3:44 PM
jack9603301 added a subscriber: jack9603301.Jul 11 2021, 3:54 PM
Viacheslav added a subscriber: Viacheslav.Jul 19 2021, 9:35 AM

Can you send more examples how it looks like in podman cli?
Which parameters do you set, and how to check if it is successfully applied?

Viacheslav changed the task status from Open to In progress.Oct 15 2021, 4:05 PM
Viacheslav claimed this task.
pasik added a subscriber: pasik.Oct 15 2021, 5:10 PM
Viacheslav added a comment.Oct 15 2021, 6:23 PM

PR https://github.com/vyos/vyos-1x/pull/1027

set container name foo allow-host-networks
set container name foo cap-add 'net-admin'
set container name foo cap-add 'sys-time'
set container name foo image 'busybox'
Viacheslav closed this task as Resolved.Oct 15 2021, 8:40 PM

@artooro Will be available in the next rolling release
Let us know, if you want some other capabilities

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Oct 15 2021, 8:40 PM
johannrichard mentioned this in T3916: Add additional Linux capabilities to container configuration.Oct 19 2021, 6:17 PM
Viacheslav changed the status of subtask T3916: Add additional Linux capabilities to container configuration from Open to In progress.Oct 19 2021, 11:04 PM
Viacheslav changed the status of subtask T3916: Add additional Linux capabilities to container configuration from In progress to Needs testing.Oct 25 2021, 7:29 PM
artooro added a comment.Oct 25 2021, 7:32 PM

@Viacheslav this is great. I hope to get around to testing it this week.

Viacheslav closed subtask T3916: Add additional Linux capabilities to container configuration as Resolved.Oct 28 2021, 6:51 PM
bjw-s mentioned this in T3997: Add CAP_NET_RAW capability.Nov 16 2021, 10:25 AM
bjw-s closed subtask T3997: Add CAP_NET_RAW capability as Invalid.Nov 16 2021, 12:58 PM