How to set Linux capabilities on docker swarm mode service invocations

Solution 1:

It's currently not supported, but Docker is working on a solution. The logic behind not including the --cap-add option blindly is in a large cluster, there could be security concerns of a manager submitting containers with added privileges to a worker. The worker may trust running secure containers that can't access the host, but not want to allow remote root access to the host via a privileged container.

Discussion on this is over on github at:

https://github.com/docker/docker/pull/26849#issuecomment-252704844

https://github.com/docker/swarmkit/issues/1030

https://github.com/docker/swarmkit/pull/1722

https://github.com/moby/moby/issues/25885#issuecomment-557790402 and https://github.com/docker/cli/pull/2199

Solution 2:

All of the other answers here are old. Docker 20.10.0 and newer now supports specifying capabilities for Swarm services via the docker service command line and the Docker Stack YAML file format.

On the command line, you just specify --cap-add [capability] or --cap-drop [capability].

And here is an example for adding a capability in a Docker Stack YAML file:

version: "3.9"
services:
  your-service:
    cap_add:
      - CAP_SYS_ADMIN

How to set Linux capabilities on docker swarm mode service invocations

Solution 1:

Solution 2:

Tags:

Docker

Docker Swarm

Related

Recent Posts