Does Docker's CAP_NET_ADMIN allow a container to affect the host network, or only it's own?connecting from docker container to docker hostHow should I configure SELinux when running nginx inside DockerTransparent proxying a single docker container to another docker containerIPTables port redirect with DockerIptables LOG rule inside a network namespaceHow does yum with Red Hat Network Subscription work inside the rhel Docker images?Configure iptables to secure a server running Docker containersSandbox docker containerTwo NICs docker host, fixed container source IP, no connection to second subnetSend received mirrored traffic using iptables to docker application?

Should I "tell" my exposition or give it through dialogue?

Will TSA allow me to carry a Continuous Positive Airway Pressure (CPAP)/sleep apnea device?

What's the correct term for a waitress in the Middle Ages?

How to make a setting relevant?

Payment instructions from HomeAway look fishy to me

How to make thick Asian sauces?

How can this map be coloured using four colours?

Etymology of 'calcit(r)are'?

Smooth switching between 12v batteries, with toggle switch

Implement Homestuck's Catenative Doomsday Dice Cascader

When writing an error prompt, should we end the sentence with a exclamation mark or a dot?

You've spoiled/damaged the card

What is the advantage of carrying a tripod and ND-filters when you could use image stacking instead?

Whats the next step after commercial fusion reactors?

My coworkers think I had a long honeymoon. Actually I was diagnosed with cancer. How do I talk about it?

Can you `= delete` a templated function on a second declaration?

Their answer is discrete, mine is continuous. They baited me into the wrong answer. I have a P Exam question

Through what methods and mechanisms can a multi-material FDM printer operate?

Incremental Ranges!

Why does the Schrödinger equation work so well for the Hydrogen atom despite the relativistic boundary at the nucleus?

Why did Hela need Heimdal's sword?

What happened to all the nuclear material being smuggled after the fall of the USSR?

Does an ice chest packed full of frozen food need ice? 18 day Grand Canyon trip

How would you say “AKA/as in”?



Does Docker's CAP_NET_ADMIN allow a container to affect the host network, or only it's own?


connecting from docker container to docker hostHow should I configure SELinux when running nginx inside DockerTransparent proxying a single docker container to another docker containerIPTables port redirect with DockerIptables LOG rule inside a network namespaceHow does yum with Red Hat Network Subscription work inside the rhel Docker images?Configure iptables to secure a server running Docker containersSandbox docker containerTwo NICs docker host, fixed container source IP, no connection to second subnetSend received mirrored traffic using iptables to docker application?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I have a docker container running a password authenticated SFTP server (client requirement - I've already lost that battle). In order to mitigate the risk of brute force attacks, I had thought to install iptables and fail2ban within the container. However, to get iptables working this requires that I allow the container NET_ADMIN rights.



I've not been able to find from the Docker documentation whether this allows the container simply to make changes to it's own network, or to amend the host network as well. All I have found is a summary, such as:



Capability Key | Capability Description
---------------|-----------------------
NET_ADMIN | Perform various network-related operations.


Reading the MAN pages linked from the Docker documentation provides a list of the capabilities that this imparts, but of course it's not written in the context of Docker ...



Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting
- modify routing tables;
- bind to any address for transparent proxying;
- set type-of-service (TOS)
- clear driver statistics;
- set promiscuous mode;
- enabling multicasting;


... so I'm still unclear whether these abilities are granted at host level, or relates only to the container's network. An alternative strategy I'd come up with was to expose the container's auth.log using a shared volume and have fail2ban run on the host (I'd obviously have to set --iptables=false on the Docker engine), but I preferred the neatness of having no external host dependency and everything within a single container.



Can anyone allay my fears, or provide alternatives?






security permissions docker







share|improve this question






















  • Have you ever figured this out?

    – Keeper Hood
    Apr 15 at 15:31

















1















I have a docker container running a password authenticated SFTP server (client requirement - I've already lost that battle). In order to mitigate the risk of brute force attacks, I had thought to install iptables and fail2ban within the container. However, to get iptables working this requires that I allow the container NET_ADMIN rights.



I've not been able to find from the Docker documentation whether this allows the container simply to make changes to it's own network, or to amend the host network as well. All I have found is a summary, such as:



Capability Key | Capability Description
---------------|-----------------------
NET_ADMIN | Perform various network-related operations.


Reading the MAN pages linked from the Docker documentation provides a list of the capabilities that this imparts, but of course it's not written in the context of Docker ...



Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting
- modify routing tables;
- bind to any address for transparent proxying;
- set type-of-service (TOS)
- clear driver statistics;
- set promiscuous mode;
- enabling multicasting;


... so I'm still unclear whether these abilities are granted at host level, or relates only to the container's network. An alternative strategy I'd come up with was to expose the container's auth.log using a shared volume and have fail2ban run on the host (I'd obviously have to set --iptables=false on the Docker engine), but I preferred the neatness of having no external host dependency and everything within a single container.



Can anyone allay my fears, or provide alternatives?






security permissions docker







share|improve this question






















  • Have you ever figured this out?

    – Keeper Hood
    Apr 15 at 15:31













1












1








1








I have a docker container running a password authenticated SFTP server (client requirement - I've already lost that battle). In order to mitigate the risk of brute force attacks, I had thought to install iptables and fail2ban within the container. However, to get iptables working this requires that I allow the container NET_ADMIN rights.



I've not been able to find from the Docker documentation whether this allows the container simply to make changes to it's own network, or to amend the host network as well. All I have found is a summary, such as:



Capability Key | Capability Description
---------------|-----------------------
NET_ADMIN | Perform various network-related operations.


Reading the MAN pages linked from the Docker documentation provides a list of the capabilities that this imparts, but of course it's not written in the context of Docker ...



Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting
- modify routing tables;
- bind to any address for transparent proxying;
- set type-of-service (TOS)
- clear driver statistics;
- set promiscuous mode;
- enabling multicasting;


... so I'm still unclear whether these abilities are granted at host level, or relates only to the container's network. An alternative strategy I'd come up with was to expose the container's auth.log using a shared volume and have fail2ban run on the host (I'd obviously have to set --iptables=false on the Docker engine), but I preferred the neatness of having no external host dependency and everything within a single container.



Can anyone allay my fears, or provide alternatives?






security permissions docker







share|improve this question














I have a docker container running a password authenticated SFTP server (client requirement - I've already lost that battle). In order to mitigate the risk of brute force attacks, I had thought to install iptables and fail2ban within the container. However, to get iptables working this requires that I allow the container NET_ADMIN rights.



I've not been able to find from the Docker documentation whether this allows the container simply to make changes to it's own network, or to amend the host network as well. All I have found is a summary, such as:



Capability Key | Capability Description
---------------|-----------------------
NET_ADMIN | Perform various network-related operations.


Reading the MAN pages linked from the Docker documentation provides a list of the capabilities that this imparts, but of course it's not written in the context of Docker ...



Perform various network-related operations:
- interface configuration;
- administration of IP firewall, masquerading, and accounting
- modify routing tables;
- bind to any address for transparent proxying;
- set type-of-service (TOS)
- clear driver statistics;
- set promiscuous mode;
- enabling multicasting;


... so I'm still unclear whether these abilities are granted at host level, or relates only to the container's network. An alternative strategy I'd come up with was to expose the container's auth.log using a shared volume and have fail2ban run on the host (I'd obviously have to set --iptables=false on the Docker engine), but I preferred the neatness of having no external host dependency and everything within a single container.



Can anyone allay my fears, or provide alternatives?






security permissions docker




security permissions docker






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 1 '16 at 18:50









DanDan

1266




1266












  • Have you ever figured this out?

    – Keeper Hood
    Apr 15 at 15:31

















  • Have you ever figured this out?

    – Keeper Hood
    Apr 15 at 15:31
















Have you ever figured this out?

– Keeper Hood
Apr 15 at 15:31





Have you ever figured this out?

– Keeper Hood
Apr 15 at 15:31










1 Answer
1






active

oldest

votes


















0














That depends on whether you set --net=host or not:



Or as the man page puts it:




--net="bridge"
Set the Network mode for the container
'bridge': create a network stack on the default Docker bridge
'none': no networking
'container:': reuse another container's network stack
'host': use the Docker host network stack. Note: the host mode gives the container full access to
local system services such as D-bus and is therefore considered
insecure.







share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f780370%2fdoes-dockers-cap-net-admin-allow-a-container-to-affect-the-host-network-or-onl%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    That depends on whether you set --net=host or not:



    Or as the man page puts it:




    --net="bridge"
    Set the Network mode for the container
    'bridge': create a network stack on the default Docker bridge
    'none': no networking
    'container:': reuse another container's network stack
    'host': use the Docker host network stack. Note: the host mode gives the container full access to
    local system services such as D-bus and is therefore considered
    insecure.







    share|improve this answer



























      0














      That depends on whether you set --net=host or not:



      Or as the man page puts it:




      --net="bridge"
      Set the Network mode for the container
      'bridge': create a network stack on the default Docker bridge
      'none': no networking
      'container:': reuse another container's network stack
      'host': use the Docker host network stack. Note: the host mode gives the container full access to
      local system services such as D-bus and is therefore considered
      insecure.







      share|improve this answer

























        0












        0








        0







        That depends on whether you set --net=host or not:



        Or as the man page puts it:




        --net="bridge"
        Set the Network mode for the container
        'bridge': create a network stack on the default Docker bridge
        'none': no networking
        'container:': reuse another container's network stack
        'host': use the Docker host network stack. Note: the host mode gives the container full access to
        local system services such as D-bus and is therefore considered
        insecure.







        share|improve this answer













        That depends on whether you set --net=host or not:



        Or as the man page puts it:




        --net="bridge"
        Set the Network mode for the container
        'bridge': create a network stack on the default Docker bridge
        'none': no networking
        'container:': reuse another container's network stack
        'host': use the Docker host network stack. Note: the host mode gives the container full access to
        local system services such as D-bus and is therefore considered
        insecure.








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 7 '17 at 20:15









        DejDej

        53




        53



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f780370%2fdoes-dockers-cap-net-admin-allow-a-container-to-affect-the-host-network-or-onl%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            Image
            Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
            Read more

            Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

            Image
            Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
            Read more

            Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

            Image
            OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
            Read more