I'd like to force all docker containers to drop particular capabilities.
But configuring docker daemon /etc/docker/daemon.json
in this way fails:
{
"cap_drop": ["SYS_CHROOT", "SETFCAP", "SETPCAP", "FOWNER"]
}
I've also tried to put there cap-drop
, but it always fails with:
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives don't match any configuration option: cap_drop
Is it even possible to force docker daemon changing this settings globally? I haven't found the list of all global settings anywhere.
The list of all possible configuration values for
/etc/docker/daemon.json
can be found at Daemon CLI docs.There is clearly no way to force
cap-drop
settings for all containers using the daemon settings, so to answer my question: You can't.You have to provide this settings on a per container basis.