cap-add=NET_ADMIN on aws ecs

Question

cap-add=NET_ADMIN on aws ecs

Closed this issue 7 years ago · 8 comments

Is there a workaround for --cap-add=NET_ADMIN, because aws ecs agent doesn't support --cap-add?

Answer 1 · 2016-07-12T17:47:58.000Z

I forget what was failing. Can you try and see? It might have been the binding of ports < 1024 per http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008540.html.

Answer 2 · 2016-07-12T18:04:38.000Z

I used --privileged flag and it's working, but i don't think that's a good idea from the security perspective?

Answer 3 · 2016-07-12T18:11:07.000Z

Security is different for everyone. I can't really comment on that specifically. But understanding why we need to use --privileged or -cap-add NET_ADMIN could be helpful to all. If it was something as simple as binding to port 53 then we could probably change that to 5300 in the container and use port mapping externally to do 53:5300 and you wouldn't need any privileged mode.

Answer 4 · 2016-07-12T19:33:39.000Z

FAQ on dnsmasq says that NET_ADMIN is essential; and from what i could gather for iptables and port bindings.
What i found is that if i run -k -d without -cap-add NET_ADMIN it working so maybe it's one of this:

-d, --no-daemon
Debug mode: don't fork to the background, don't write a pid file, don't change user id, generate a complete cache dump on receipt on SIGUSR1, log to stderr as well as syslog, don't fork new processes to handle TCP queries. Note that this option is for use in debugging only, to stop dnsmasq daemonising in production, use -k.

Answer 5 · 2016-07-12T19:46:05.000Z

Unfortunately, I don't have a good answer. I don't use this image anymore and don't have good understanding of the Linux capabilities. I tired to narrow down the capabilities when I originally used it so that it didn't require --privileged. I found that NET_ADMIN was the best compromise. But if --privileged is available and you understand the security implications (of which I can't really talk to) then that would be a workaround as I was originally running it with --privileged before I found NET_ADMIN working.

If you or anyone else find otherwise, feel free to open a pull request to modify the README accordingly.

Answer 6 · 2016-07-12T19:54:26.000Z

I will probably run it in --privileged because the container is running on private network.
Thanks for help.

Answer 7 · 2017-08-30T06:06:35.000Z

For anyone else ending up here when trying to get dnsmasq running in ECS:

Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514214#10

You can use --user=root to avoid the need to run as a privileged container.

Answer 8 · 2017-09-27T20:57:48.000Z

@borgstrom, while I didn't generally agree with #11, it could make sense to mention this in the README. I'm going to close this issue as the original one is more specific to AWS. But I'd be happy to accept a pull request to add something to the README mentioning adding --user=root to their CMD in lieu of --privileged or --cap-add.