0
0
Dockerdevops~20 mins

Capabilities and privilege control in Docker - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Capabilities Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate
1:30remaining
Effect of Dropping a Capability in Docker
You run a Docker container with the command:
docker run --rm --cap-drop=NET_RAW alpine ping -c 1 8.8.8.8

What will be the output or result of this command?
Docker
docker run --rm --cap-drop=NET_RAW alpine ping -c 1 8.8.8.8
AThe ping command fails with 'ping: socket: Operation not permitted' error.
BThe ping command succeeds and shows the ping statistics.
CDocker throws an error: 'unknown capability: NET_RAW'.
DThe container starts but ping command is not found.
Attempts:
2 left
💡 Hint
Dropping NET_RAW capability disables raw socket creation needed by ping.
🧠 Conceptual
intermediate
1:00remaining
Understanding Privileged Mode in Docker
What is the main effect of running a Docker container with the --privileged flag?
AIt limits the container to only the default capabilities for security.
BIt grants the container all Linux capabilities and lifts most security restrictions.
CIt disables networking inside the container.
DIt runs the container with read-only filesystem.
Attempts:
2 left
💡 Hint
Think about what 'privileged' means in terms of access rights.
Configuration
advanced
1:30remaining
Configuring a Docker Container to Add a Capability
You want to run a container that needs the ability to change system time. Which Docker run option correctly adds the required capability?
Adocker run --privileged=false alpine date
Bdocker run --cap-drop=SYS_TIME alpine date
Cdocker run --cap-add=SYS_TIME alpine date
Ddocker run --cap-add=NET_ADMIN alpine date
Attempts:
2 left
💡 Hint
Changing system time requires SYS_TIME capability.
Troubleshoot
advanced
2:00remaining
Diagnosing Permission Issues with Docker Capabilities
A containerized application fails with 'Operation not permitted' when trying to modify network interfaces. The container was started with:
docker run --rm --cap-drop=NET_ADMIN myapp

What is the cause of the failure?
AThe image 'myapp' does not have ping installed.
BThe container lacks SYS_ADMIN capability needed for network changes.
CThe container must be run with --privileged to modify network.
DDropping NET_ADMIN capability prevents network interface modifications.
Attempts:
2 left
💡 Hint
NET_ADMIN controls network administration tasks.
Best Practice
expert
2:30remaining
Security Best Practice for Running Containers with Capabilities
Which practice best improves container security regarding Linux capabilities?
AStart containers with no capabilities and add only those strictly required.
BUse default capabilities and never modify them.
CAlways run containers with --privileged for full functionality.
DStart containers with all capabilities and drop them as needed.
Attempts:
2 left
💡 Hint
Think about the principle of least privilege.