[Feature] Docker: Prefer `--cap-add` to `--privileged`

[zwimer]

Description of the feature

In the README, instructions are given using the --privileged flag; this makes running the program in a docker container and exposing it inherently dangerous. If we know which capabilities specifically were needed, it would make the whole setup a lot safer as then we could add only those (and could not-add those we were not comfortable with).

It'd be nice if in the README it said something like (this example uses fake info since as per the issue I do not know the real caps necessary or why):

Add CAP_SYSLOG to allow dash to show the 'syslog monitor' Add CAP_NET_ADMIN to allow dash to show the 'firewall monitor'

Additional context

A list of linux capabilities can be found here: https://man7.org/linux/man-pages/man7/capabilities.7.html

If you know every feature that doesn't work without privileged (and do not know which capabilities are needed) one could discover them just by just testing a dozen times, removing capabilities until only those necessary for functionality remain.

[MauriceNino]

Hi, thanks for the issue. Yeah, using --cap-add instead of --privileged was the initial plan for me as well. But unfortunately, during testing, I didn't get it to work (Which could be because of lack of knowledge back then). I don't know which parts were making problems, as that was a few years ago, but it was probably either storage, network or maybe minor parts of memory.

If you have the time to test it out, please let me know if you find out which caps are the correct ones.

[MauriceNino]

So I have now tested it out and even with the --cap-add=ALL flag, some features do not work, when omitting the --privileged flag.

Here is a screenshot on a linux box with --cap-add=ALL:

And here is a screenshot of the same linux box with --privileged:

So what you can see immediately, the following is different:

• Memory static information cannot be acquired correctly
• Storage size of one drive cannot be acquired correctly
• Network usage (or better said, the correct network interface) cannot be acquired correctly
• Therefore the network interface speed can also not be acquired correctly

So in the current state, I conclude that running without --privileged is not possible. If you find any other way, feel free to let me know!

[zwimer]

It might be worth mentioning, in case this is ever revisited or someone wants to make a PR:

In addition to capabilities; privileged does a few other things; specifically regarding devices (including network devices as far as I'm aware) which might be useful here given the snapshots above lack info about storage devices and network devices it seems.

https://stackoverflow.com/questions/66635237/difference-between-privileged-and-cap-add-all-in-docker