I’ve had NC and Collabora running for a while now, working well. I’ve now wanted to refactor my configs (docker-compose) and one thing that never sat right with me was the offical docs calling for --cap-add MKNOD
, aka CAP_MKNOD
(man capabilities
). This in itself raises red flags (I’ve never had to do this with any other Docker container/service), and this article seems to agree:
Almost no containers ever do this, and even fewer containers should do this.
The most frustrating part is that the requirement for that capability isn’t explained anywhere. It’s just accepted, and it seems like noone has ever asked why this is necessary?
Googling collabora mknod lists many pages, all of which just seem to have copied the
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=cloud\\.nextcloud\\.com' --restart always --cap-add MKNOD collabora/code
line from the official docs, without mentioning MKNOD
otherwise.
I’d be very happy to grant that capability to Collabora if I understood its need better! Can anyone clarify? Thanks!