Linux Capabilities - CI/CD Glossary Definition
Linux capabilities split the privileges of root into distinct units (such as CAP_NET_BIND_SERVICE or CAP_SYS_ADMIN) that can be granted or dropped individually. Container runtimes drop most capabilities by default.
Least privilege
Instead of running a container as full root, grant only the specific capability a task needs. Dropping unused capabilities with --cap-drop shrinks the attack surface of CI build containers.
Related guides
Privileged Container - CI/CD Glossary DefinitionPrivileged Container: A privileged container runs with `--privileged`, granting nearly all host kernel capabi…
seccomp - CI/CD Glossary Definitionseccomp: seccomp (secure computing mode) is a Linux kernel feature that filters which system calls a process…
Rootless Container - CI/CD Glossary DefinitionRootless Container: A rootless container runs the container engine and workload as an unprivileged user by ma…