Y
Hacker News
new
|
ask
|
show
|
jobs
by
dohqu8Zi
3332 days ago
No, Docker usually drops CAP_NET_RAW within the container. But you can change that and other container technologies definitely keep CAP_NET_RAW within the container.
2 comments
wrongmmmm
3332 days ago
Not true. CAP_NET_RAW is on by default:
https://github.com/moby/moby/blob/master/oci/defaults_linux....
Otherwise no one could ping from a container.
link
dohqu8Zi
3331 days ago
Thanks for the correction.
link
dohqu8Zi
3332 days ago
BTW: Depending on the configuration you can create a new namespace within Docker to gain CAP_NET_RAW since namespaces can nest.
link
Otherwise no one could ping from a container.