Namespaces and Kernel Capabilities
Containers are isolated at the kernel level using namespaces and kernel level capabilities. You have full ability to configure these on a per-container basis with Cycle. This reference breaks down each namespace and kernel capability so you can customize them to do exactly what you need.
Namespaces
Cycle utilizes kernel namespaces to provide the isolated workspace called the container. Each aspect of a "container" runs in a separate namespace, limiting it's access. The more namespaces assigned to a container, the more "isolated" it is. By default, Cycle applies ALL namespaces.
Namespace | Description |
---|---|
pid | Process isolation - The container sees itself as process (pid) 1 and no other processes on the host are visible. |
net | Network isolation - The container gets a completely isolated network stack, and cannot see interfaces on the host system. |
ipc | Inter-Process Communications isolation - Isolates communication with other processes |
mount | Mount point isolation - The container cannot see host mounts (drives) |
user | User isolation - The user inside the container is mapped to id 0 |
Kernel Capabilities
You can add extra kernel-level capabilities to fine-tune what permissions your containers have.
Type | Capability | Description |
---|---|---|
Base | CAP_AUDIT_WRITE | Write records to kernel auditing log. |
Base | CAP_CHOWN | Make arbitrary changes to file UIDs and GIDs |
Base | CAP_FSETID |
|
Base | CAP_DAC_OVERRIDE | (discretionary access control) Bypass file read, write, adn execute permission checks. |
Base | CAP_FOWNER |
|
Base | CAP_SETFCAP | Set arbitrary capabilities on a file. |
Base | CAP_SETGID |
|
Base | CAP_SETUID |
|
Base | CAP_KILL | Bypass permission checks for sending signals. This includes use of the ioctl KDSIGACCEPT operation. |
Base | CAP_MKNOD | Create special files using mknod. |
Base | CAP_NET_BIND_SERVICE | Bind a socket to Internet domain privileged ports (port numbers under 1024). |
Base | CAP_SYS_CHROOT |
|
Privileged | CAP_AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules |
Privileged | CAP_AUDIT_READ | Allow reading the audit log via a multicast netlink socket. |
Privileged | CAP_SETPCAP | Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid |
Privileged | CAP_DAC_READ_SEARCH | Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. |
Privileged | CAP_NET_ADMIN | Perform various network-related operations:
|
Privileged | CAP_NET_RAW |
|
Privileged | CAP_SYS_ADMIN | Perform a range of system administration operations - * avoid if possible * |
Privileged | CAP_SYS_MODULE | Load and unload kernel modules |
Privileged | CAP_SYS_NICE |
|
Privileged | CAP_SYS_PACCT | Allow configuration of process accounting |
Privileged | CAP_SYS_PTRACE | Allow ptrace() of any process |
Privileged | CAP_SYS_RAWIO |
|
Privileged | CAP_SYS_RESOURCE |
|
Privileged | CAP_SYSLOG | Allow syslog(2) |
Privileged | CAP_IPC_LOCK |
|
Privileged | CAP_IPC_OWNER | Override IPC ownership checks |
Further Reading
Need Help?
If you've got questions about the platform or need some help getting started, our team is more than happy to assist. Whether you're new to containers or just new to Cycle, reach out to us via livechat by clicking the blue circle in the bottom right corner. Join our Slack channel, and get help from the dev team or other members of the community, and check out our Roadmap to see what's planned for the future!