Dockerdevops~5 mins

Capabilities and privilege control in Docker - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes containers need special permissions to do certain tasks, but giving full access can be risky. Capabilities and privilege control let you give containers only the permissions they need, keeping your system safer.

When you want a container to access hardware features like networking or devices without full root access.

When you need to limit what a container can do to reduce security risks.

When running containers that require specific Linux capabilities like changing network settings.

When you want to avoid running containers as fully privileged but still allow some extra permissions.

When debugging or testing container permissions by adding or removing capabilities.

Commands

This command runs an Alpine container and adds the NET_ADMIN capability so it can create a dummy network interface. It shows how to add a specific capability to a container.

Terminal

docker run --rm --cap-add=NET_ADMIN alpine ip link add dummy0 type dummy

Expected OutputExpected

No output (command runs silently)

→

--cap-add=NET_ADMIN - Adds the NET_ADMIN capability to the container to allow network administration tasks.

→

--rm - Automatically removes the container after it exits.

This command runs the same Alpine container but with full privileged mode, allowing all capabilities. It shows how privileged mode grants all permissions.

Terminal

docker run --rm --privileged alpine ip link add dummy0 type dummy

Expected OutputExpected

No output (command runs silently)

→

--privileged - Gives the container all capabilities and access to devices.

→

--rm - Automatically removes the container after it exits.

This command drops all capabilities and then adds only CHOWN capability. It creates a file, changes its owner, and lists it to show limited capability usage.

Terminal

docker run --rm --cap-drop=ALL --cap-add=CHOWN alpine sh -c 'touch testfile && chown 1000 testfile && ls -l testfile'

Expected OutputExpected

-rw-r--r-- 1 1000 0 0 Apr 27 00:00 testfile

→

--cap-drop=ALL - Removes all capabilities from the container.

→

--cap-add=CHOWN - Adds only the CHOWN capability to allow changing file ownership.

→

--rm - Automatically removes the container after it exits.

Key Concept

If you remember nothing else from this pattern, remember: give containers only the capabilities they need to reduce security risks.

Common Mistakes

Running containers with --privileged when only a few capabilities are needed.

This gives the container full access, increasing security risks unnecessarily.

Use --cap-add to add only the specific capabilities the container requires.

Not adding required capabilities, causing container commands to fail with permission errors.

The container lacks permissions to perform needed actions.

Identify and add the minimal capabilities needed using --cap-add.

Dropping all capabilities without adding back needed ones.

The container cannot perform even basic tasks it needs.

Use --cap-drop=ALL with --cap-add to precisely control permissions.

Summary

Use --cap-add to give containers specific Linux capabilities they need.

Use --cap-drop to remove unnecessary capabilities and reduce risk.

Use --privileged only when full access is absolutely required.