Is it possible to use capabilities rather than the catchall --privileged?

robbertkl / docker-ipv6nat

Extend Docker with IPv6 NAT, similar to IPv4

MIT License

661 stars 48 forks source link

Is it possible to use capabilities rather than the catchall --privileged? #5

Closed cooperaj closed 5 years ago

cooperaj commented 7 years ago

--cap-add NET_ADMIN for instance?

robbertkl commented 7 years ago

Good idea, I'm not sure. Could you perhaps try and let me know? I can then update the documentation (or you could submit a PR).

Please note that if some ipv6/ip6tables related kernel modules are not loaded, ipt6tables will automatically load them on first start. This requires mounting /lib/modules (see README), but probably also requires the --privileged.

robbertkl commented 7 years ago

Closed due to inactivity.

navossoc commented 6 years ago

Just a note. I'm using this way:

    cap_add:
      - NET_ADMIN # Perform various network-related operations.
      - SYS_MODULE # Load and unload kernel modules.

It is working for me.

[]'s

j7an commented 5 years ago

@robbertkl Could we reopen this issue? I can submit a PR to update the readme from @navossoc's findings if you like, but don't have a VPS to test at the moment.

robbertkl commented 5 years ago

Sure, I'm always open to PR's. Especially if it's just a README addition. I've reopened.

zhangyoufu commented 4 years ago

It worth mention in README that CAP_SYS_MODULE is only needed when we bind mount /lib/modules and let ip6tables load necessary kernel modules for us.

Personally I prefer echo ip6_tables >/etc/modules-load.d/ipv6nat.conf to load necessary kmod on boot, and reduce capabilities required by ipv6nat container.

zhangyoufu commented 4 years ago

CAP_NET_RAW is required by iptables, but I think it can be avoided without losing any functionality.

If anyone want to patch iptables: (I didn't test it, just memo)

PF_NETLINK accept both SOCK_RAW and SOCK_DGRAM according to netlink(7)
netfilter sockopts should be reachable from tcp/udp sockets, SOCK_RAW can be avoided.

Or replace github.com/coreos/go-iptables/iptables with something that talks to netlink directly without invoking iptables userspace program.

robbertkl commented 4 years ago

Thanks @zhangyoufu, those are very useful additions. Could you send me a PR with suggested README changes regarding CAP_SYS_MODULE?

Getting rid of requiring CAP_NET_RAW would be great as well, but I’m not sure the proposed changes are worth it right now. If you think this can be done easily, I’m always open to PRs!

zhangyoufu commented 4 years ago

@robbertkl I have proposed PR #54 on README changes. ~~I have prepared a patched version of iptables without CAP_NET_RAW, please checkout https://github.com/zhangyoufu/alpine and try. I may send a small patch to upstream.~~ I sent a small patch to upstream and was rejected.