SYSRAWIO Execute I/O port operations (iopl(2) and ioperm(two)).
SYSPACCT Use acct(2), switch method accounting on or off. SYSADMIN Carry out a variety of process administration functions. SYSNICE Elevate procedure wonderful benefit (pleasant(2), setpriority(two)) and transform the great price for arbitrary processes.
SYSRESOURCE Override source Boundaries. SYSTIME Set procedure clock (settimeofday(2), stime(two), adjtimex(2)) established genuine-time (hardware) clock. SYSTTYCONFIG Use vhangup(two) make use of many privileged ioctl(2) functions on digital terminals.
AUDITCONTROL Permit and disable kernel auditing change auditing filter guidelines retrieve auditing position and filtering principles. MACADMIN Let MAC configuration or state improvements. Implemented for the Smack LSM.
MACOVERRIDE Override Obligatory Entry Handle (MAC). Implemented for the Smack Linux Safety Module (LSM). NETADMIN Complete a variety of network-connected https://my-ips.co functions. SYSLOG Execute privileged syslog(two) operations.
DACREADSEARCH Bypass file study permission checks and directory examine and execute authorization checks. LINUXIMMUTABLE Established the FSAPPENDFL and FSIMMUTABLEFL i-node flags. NETBROADCAST Make socket broadcasts, and hear to multicasts.
IPCLOCK Lock memory (mlock(two), mlockall(two), mmap(two), shmctl(two)). IPCOWNER Bypass permission checks for operations on Technique V IPC objects. SYSPTRACE Trace arbitrary processes applying ptrace(two). SYSBOOT Use reboot(two) and kexecload(two), reboot and load a new kernel for later on execution. LEASE Build leases on arbitrary information (see fcntl(2)).
WAKEALARM Induce one thing that will wake up the procedure. BLOCKSUSPEND Hire attributes that can block technique suspend. Further reference data is obtainable on the capabilities(7) – Linux man web site. Both flags aid the price ALL , so if the operator would like to have all capabilities but MKNOD they could use:For interacting with the community stack, as a substitute of making use of -privileged they should use -cap-add=NETADMIN to modify the community interfaces. To mount a FUSE dependent filesystem, you have to have to incorporate the two -cap-add and -product :The default seccomp profile will regulate to the picked capabilities, in buy to make it possible for use of facilities allowed by the capabilities, so you need to not have to change this, due to the fact Docker one. twelve. In Docker 1. 10 and 1. 11 this d >-protection-opt seccomp=unconfined when including abilities. Logging motorists (-log-driver)The container can have a distinctive logging driver than the Docker daemon. Use the -log-driver=Benefit with the docker run command to configure the container’s logging driver.
The subsequent choices are supported:Driver Description none Disables any logging for the container. docker logs won’t be accessible with this driver. json-file Default logging driver for Docker. Writes JSON messages to file.
No logging selections are supported for this driver. syslog Syslog logging driver for Docker. Writes log messages to syslog. journald Journald logging driver for Docker. Writes log messages to journald .
gelf Graylog Prolonged Log Structure (GELF) logging driver for Docker. Writes log messages to a GELF endpoint likeGraylog or Logstash. fluentd Fluentd logging driver for Docker. Writes log messages to fluentd (ahead input). awslogs Amazon CloudWatch Logs logging driver for Docker. Writes log messages to Amazon CloudWatch Logs splunk Splunk logging driver for Docker. Writes log messages to splunk applying Function Http Collector. The docker logs command is offered only for the json-file and journald logging drivers. For thorough info on performing with logging drivers, see Configure logging motorists.