(man capabilities
)
The process mysqld does not seem to need any linux capabilities. The entrypoint, on the other hand, does, because, among other things, it downgrades to the mysql user, and for that it uses the SETUID
and SETGID
capabilities.
The only reason DAC_READ_SEARCH
is added is to allow the entrypoint to search under /var/lib/mysql, so that it does not error out, but it does not allow it to make any actual changes.
The entrypoint tries to change the owner of all the folders and files recursively to mysql: https://github.com/docker-library/mariadb/blob/master/10.5/docker-entrypoint.sh#L146
Without the CHOWN
capability, this is going to return an error anyway if any of the files are not already owned by mysql. So in order to avoid having to grant additional capabilities, the permissions need to be set beforehand in case the database is imported/copied from somewhere else.
Because Nextcloud runs an rsync the first time and changes the owner of files, it needs additional capabilities, such as DAC_OVERRIDE
, CHOWN
, besides SETGID
and SETUID
:
https://github.com/nextcloud/docker/blob/master/18.0/apache/entrypoint.sh#L100-L106