Namespaces and Kernel Capabilities

Containers are isolated at the kernel level using namespaces and kernel level capabilities. You have full ability to configure these on a per-container basis with Cycle. This reference breaks down each namespace and kernel capability so you can customize them to do exactly what you need.

Namespaces

Cycle utilizes kernel namespaces to provide the isolated workspace called the container. Each aspect of a "container" runs in a separate namespace, limiting it's access. The more namespaces assigned to a container, the more "isolated" it is. By default, Cycle applies ALL namespaces.

NamespaceDescription
pidProcess isolation - The container sees itself as process (pid) 1 and no other processes on the host are visible.
netNetwork isolation - The container gets a completely isolated network stack, and cannot see interfaces on the host system.
ipcInter-Process Communications isolation - Isolates communication with other processes
mountMount point isolation - The container cannot see host mounts (drives)
userUser isolation - The user inside the container is mapped to id 0

Kernel Capabilities

You can add extra kernel-level capabilities to fine-tune what permissions your containers have.

TypeCapabilityDescription
Base
CAP_AUDIT_WRITEWrite records to kernel auditing log.
Base
CAP_CHOWNMake arbitrary changes to file UIDs and GIDs
Base
CAP_FSETID
  • Don't clear set-user-ID and set-group-ID mode bits when a file is modified.
  • Set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process.
Base
CAP_DAC_OVERRIDE(discretionary access control) Bypass file read, write, adn execute permission checks.
Base
CAP_FOWNER
  • Bypass permission checks on the operations that normally require the filesystem UID of the process to match the UID of the file, excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
  • Set inode flags (see inode flags) on arbitrary files.
  • Set "Access Control Lists" (ACL's) on arbitrary files.
  • Ignore directory sticky bit on file deletion.
  • specify O_NOATIME for arbitrary files in open() and fcntl().
Base
CAP_SETFCAPSet arbitrary capabilities on a file.
Base
CAP_SETGID
  • Make arbitrary manipulations of process GIDs and supplementary GID list.
  • forge GID when passing socket credentials via UNIX domain sockets.
  • Write a group ID mapping in a user namespace.
Base
CAP_SETUID
  • Make arbitrary manipulations of process UIDs (setuid(), setreuid(), setresuid(), setfsuid()).
  • Forge UID when passing socket credentials via UNIX domain sockets.
  • Write a user ID mapping in a user namespace.
Base
CAP_KILLBypass permission checks for sending signals. This includes use of the ioctl KDSIGACCEPT operation.
Base
CAP_MKNODCreate special files using mknod.
Base
CAP_NET_BIND_SERVICEBind a socket to Internet domain privileged ports (port numbers under 1024).
Base
CAP_SYS_CHROOT
  • Use chroot.
  • Change count namespaces using setns.
Privileged
CAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules
Privileged
CAP_AUDIT_READAllow reading the audit log via a multicast netlink socket.
Privileged
CAP_SETPCAPTransfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid
Privileged
CAP_DAC_READ_SEARCHOverrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
Privileged
CAP_NET_ADMINPerform various network-related operations:
  • interface configuration.
  • administration of IP firewall, masquerading, and accounting.
  • modify routing tables.
  • bind to any address for transparent proxying.
  • set type-of-service (TOS).
  • clear driver statistics.
  • set promiscuous mode.
  • enabling multicasting.
Privileged
CAP_NET_RAW
  • Use RAW and PACKET sockets.
  • bind to any address for transparent proxying.
Privileged
CAP_SYS_ADMINPerform a range of system administration operations - * avoid if possible *
Privileged
CAP_SYS_MODULELoad and unload kernel modules
Privileged
CAP_SYS_NICE
  • Allow raising priority and setting priority on other (different UID) processes.
  • Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process.
  • Allow setting cpu affinity on other processes.
Privileged
CAP_SYS_PACCTAllow configuration of process accounting
Privileged
CAP_SYS_PTRACEAllow ptrace() of any process
Privileged
CAP_SYS_RAWIO
  • Allow ioperm/iopl access.
  • Allow sending USB messages to any device via /proc/bus/usb.
Privileged
CAP_SYS_RESOURCE
  • Override resource limits. Set resource limits.
  • Override quota limits.
Privileged
CAP_SYSLOGAllow syslog(2)
Privileged
CAP_IPC_LOCK
  • Allow locking of shared memory segments.
  • Allow mlock and mlockall.
Privileged
CAP_IPC_OWNEROverride IPC ownership checks

Further Reading

Need Help?

If you've got questions about the platform or need some help getting started, our team is more than happy to assist. Whether you're new to containers or just new to Cycle, reach out to us via livechat by clicking the blue circle in the bottom right corner. Join our Slack channel, and get help from the dev team or other members of the community, and check out our Roadmap to see what's planned for the future!

Copyright © 2021, Cycle - A Petrichor Company
v2021.02.16.01-angel-lake