Remove NET_RAW, SYS_CHROOT, MKNOD and AUDIT_WRITE from default list of capabilities

Turn on ping for 65k users

containers.conf

@@ -59,29 +59,25 @@
 # List of default capabilities for containers. If it is empty or commented out,
 # the default capabilities defined in the container engine will be added.
 #
-# default_capabilities = [
-#    "AUDIT_WRITE",
-#    "CHOWN",
-#    "DAC_OVERRIDE",
-#    "FOWNER",
-#    "FSETID",
-#    "KILL",
-#    "MKNOD",
-#    "NET_BIND_SERVICE",
-#    "NET_RAW",
-#    "SETGID",
-#    "SETPCAP",
-#    "SETUID",
-#    "SYS_CHROOT",
-# ]
+default_capabilities = [
+    "CHOWN",
+    "DAC_OVERRIDE",
+    "FOWNER",
+    "FSETID",
+    "KILL",
+    "NET_BIND_SERVICE",
+    "SETGID",
+    "SETPCAP",
+    "SETUID",
+]
 
 # A list of sysctls to be set in containers by default,
 # specified as "name=value",
 # for example:"net.ipv4.ping_group_range = 0 1000".
 #
-# default_sysctls = [
-#  "net.ipv4.ping_group_range=0 1000",
-# ]
+default_sysctls = [
+ "net.ipv4.ping_group_range=0 65536",
+]
 
 # A list of ulimits to be set in containers by default, specified as
 # "<ulimit name>=<soft limit>:<hard limit>", for example:

skopeo.spec

@@ -46,7 +46,7 @@ Epoch: 1
 Epoch: 2
 %endif
 Version: 1.1.1
-Release: 45.dev.git%{shortcommit0}%{?dist}
+Release: 46.dev.git%{shortcommit0}%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@@ -447,6 +447,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 
 %changelog
+* Thu Sep 17 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:1.1.1-46.dev.git5d5756c
+- Remove NET_RAW, SYS_CHROOT, MKNOD and AUDIT_WRITE from default list of capabilities
+- Turn on ping for 65k users
+
 * Tue Sep 15 11:13:22 UTC 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:1.1.1-45.dev.gitbbd800f
 - autobuilt bbd800f