Db2 Warehouse SCC capabilities

When you install the Db2 Warehouse service, custom security context constraints (SCC) are automatically created for the service.

You can also manually create an SCC, service account, role, and role binding for the Db2 Warehouse service and specify these objects before you deploy Db2 Warehouse. For more information, see:

The default, automatically created Db2 Warehouse SCCs have the following capabilities:

SYS_RESOURCE
Allows manipulation of reservations, memory allocations, and resource limits. Maximum memory allocation is still constrained by the memory cgroup (memcg) limit, which cannot be overridden by this sys-capability. The Db2 Warehouse database engine needs this sys-capability to increase the resource limits (IE.ulimits).
IPC_OWNER
Bypasses permission checks for operations on IPC objects. Even when the IPC kernel parameters are set to maximum values on the hosts/worker nodes, the Db2 Warehouse engine still tries to dynamically throttle those values. This system capability is provided in addition to sharing IPC namespace with the host.
SYS_NICE
Allows changing process priorities. Because each container has its own PID namespace, this capability applies to that container only. The Db2 Warehouse database engine relies on process thread prioritization to ensure that Work Load Management (WLM) and Fast Communications Manager (FCM) processing is prioritized over generic agent work.
CHOWN
Necessary to run chown to change ownership of files/directories in persistent volumes.
DAC_OVERRIDE
Bypasses permission checks for file read, write, and execute.
FSETID
Prevents the clearing of the setuid and setgid mode bits when a file is modified.
FOWNER
Bypasses permission checks on operations that normally require the file system UID of the process to match the UID of the file (for example, chmod(2), utime(2)), excluding those operations that are covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
SETGID
Necessary to run Db2 Warehouse engine processes with escalated group privileges.
SETUID
Necessary to run Db2 Warehouse engine processes with escalated user privileges.
SETFCAP
Used to set capabilities on files.
SETPCAP
Used to set capabilities on processes.
SYS_CHROOT
Necessary to use the chroot command.
KILL
Bypasses permission checks for sending signals. Necessary for signal handling during process management.
AUDIT_WRITE
Required to write records to the kernel auditing log when SELinux is enabled.