Enhanced Container Controls provide you with the ability to configure additional EC Container controls so that you can customize certain advanced host system parameters to your fine-tuned needs.
This guide will explain how to enable enhanced container controls on your workload, as well as which settings are available in our Control Portal.
Enhanced Container Controls (Advanced Settings) can be configured in the Control Portal during Step 3 of the Create Workload process. The Enhanced Container Controls are optional advanced settings that can be used to fine-tune your additional workload requirements.
StackPath's Control Portal currently offers 3 categories of advanced customizable settings that can be added/dropped within your workload: Kernel Settings, Network Settings and Security Settings.
For more information on the container settings within the other steps, please see here.
Kernel Settings (Sysctl)
Define additional kernel parameters for your workload. Sysctls provide the ability to tune kernel parameters to enhance the performance of a container. Below is a list of namespaced sysctls that StackPath supports along with a brief description of their function:
|kernel.shm*||Adjust shared memory related settings|
|kernel.msg*||Adjust message queue related settings|
|kernel.sem||Adjust semaphore tokens SEMMSL, SEMMNS, SEMOPM, and SEMMNI|
|fs.mqueue.*||Adjust message queue related attributes used by file system|
|net.*||Adjust networking related attributes|
Click the drop-down arrow to select the supported sysctl parameter you would like to modify, then enter the value you'd like to set.
Expand the list below to view all of the sysctls are currently supported by StackPath:
Configure the network settings for your container. Listed below are the network settings that are available via the Portal:
- Host Entries: Host Entries are an optional list of hosts and IPs that will be injected into the workload's hosts file if specified.
- Nameservers: Provide a list of DNS name server IP addresses.
- Search Domains: A list of DNS search domains for host-name lookup.
- DNS Resolver Options: A list of DNS resolver options.
Manually enter the Names and Values for the parameters as you see fit.
Security Settings (Linux Capabilities)
Linux capabilities provide a more fine-grained way to grant privileged access to a process without giving it full root privileges. Select the linux capabilities you would like to add/drop to your workload using the drop-drown menu in the Portal.
The following linux capabilities are supported by StackPath:
|CHOWN||Make arbitrary changes to file UIDs and GIDs|
|DAC_OVERRIDE||Bypass file read, write, and execute permission checks|
|DAC_READ_SEARCH||Bypass file read permission checks and directory read and execute permission checks|
|FOWNER||Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file|
|FSETID||Don't clear set-user-ID and set-group-ID mode bits when a file is modified|
|KILL||Bypass permission checks for sending signals(kill)|
|SETGID||Make arbitrary manipulations of process GIDs and supplementary GID list|
|SETUID||Make arbitrary manipulations of process UIDs|
|SETPCAP||Add/drop any capability from the calling thread's bounding set to its inheritable set|
|LINUX_IMMUTABLE||Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags|
|NET_BIND_SERVICE||Bind a socket to Internet domain privileged ports (port numbers less than 1024)|
|NET_BROADCAST||Make socket broadcasts, and listen to multicasts|
|NET_ADMIN||Perform various network-related operations|
|NET_RAW||Use RAW and PACKET sockets|
|IPC_LOCK||Lock memory, allocate memory using huge pages|
|IPC_OWNER||Bypass permission checks for operations on System V IPC objects|
|SYS_CHROOT||Use chroot, change mount namespaces using setns|
|SYS_PTRACE||Trace arbitrary processes using ptrace, inspect, transfer data to/from processes|
|SYS_PACCT||Use acct- switch process accounting on or off|
|SYS_NICE||Perform range of system ops like change nice value of processes, scheduling classes, I/O scheduling etc|
|MKNOD||Create special files using mknod(2)|
|LEASE||Establish leases on arbitrary files|
|SETFCAP||Eet arbitrary capabilities on a file|
For additional Enhanced Container Controls, please feel free to use the StackPath API. See our API documentation located here.