Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on capabilities required for non-root Openresty podman container in SeLinux enabled RHEL 9.4 #265

Open
dhinakaran-aaru opened this issue Nov 27, 2024 · 0 comments
Open

Question on capabilities required for non-root Openresty podman container in SeLinux enabled RHEL 9.4 #265

dhinakaran-aaru opened this issue Nov 27, 2024 · 0 comments

Comments

@dhinakaran-aaru
Copy link

I'm running a Openresty nginx container, which is running on top of SeLinux enabled RHEL 9.4 host box.
What are the minimum capabilities the ngnix container should have for the basic openresty ngnix + lua functionalities to work properly? Wanted to know if any functionality will break I remove any of the capabilities?
Starting Podman container started as non-root user:

These are the default capabilities added when I start the container.
cap_chown
cap_dac_override
cap_fowner
cap_fsetid
cap_kill
cap_net_bind_service
cap_setfcap
cap_setgid
cap_setpcap
cap_setuid
cap_sys_chroot

I can understand cap_net_bind_service is required to bind any system port with the container.

I could start the container with just with these 2 capabilities: cap_net_bind_service and cap_setuid

will there be any problem by removing other capabilities? Is that mandatory to have cap_setuid capability?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dhinakaran-aaru