Drop all capabilities by default in Elastic Agent containers #1794
Conversation
| @@ -18,6 +18,8 @@ services: | |||
| - {{ . }} | |||
| {{- end }} | |||
| {{ end }} | |||
| cap_drop: | |||
| - ALL | |||
There was a problem hiding this comment.
What do you think about trying to drop all capabilities also in the main docker compose, and test with integrations?
There was a problem hiding this comment.
Ok, I'll update those scenarios and run a test with integrations.
Wondering what to do in the template used for custom agents (servicedeployer). For that case, packages could also define some cap_drop. It's also true that until now some capabilities are just added with cap_add. But looking at the code of moby, if ALL is present in cap_drop , all capabilities are drop...
There was a problem hiding this comment.
It looks like there are no issues when cap_drop ALL is set:
elastic/integrations#9694
There was a problem hiding this comment.
Should we update also custom agent template ? As there are no packages using cap_drop in the integrations repository, probably it's a good idea, WDYT ?
|
test integrations |
|
Created or updated PR in integrations repository to test this version. Check elastic/integrations#9694 |
|
test integrations |
|
Created or updated PR in integrations repository to test this version. Check elastic/integrations#9694 |
💚 Build Succeeded
History
cc @mrodm |
mrodm
changed the title
Part of #787
In docker/docker-compose there are some capabilities that are added by default to every container (https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
This PR ensures that agents are started with the minimum required capabilities, dropping by default all of them.
If
ALLit is defined incap_dropfield, then it just adds the Linux capabilities for the container defined incap_add:https://github.com/moby/moby/blob/82d8f8d6e6dbc88ed437b8bf6c38399b46ba7d93/oci/caps/utils.go#L112-L114