Dockerdevops~30 mins

Capabilities and privilege control in Docker - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Docker Capabilities and Privilege Control

📖 Scenario: You are managing Docker containers for a small web application. You want to control what system capabilities the containers have to improve security. This means allowing only the minimum permissions needed for the container to run.

🎯 Goal: Learn how to run a Docker container with specific Linux capabilities removed and understand how to run a container without full root privileges.

📋 What You'll Learn

Create a Docker container running the alpine image

Remove the NET_RAW capability from the container

Run the container with the --cap-drop option

Run the container without root privileges using the --user option

Verify the non-root user and dropped NET_RAW capability inside the container

💡 Why This Matters

🌍 Real World

Limiting container capabilities reduces the risk of security breaches by restricting what the container can do on the host system.

💼 Career

DevOps engineers and system administrators use capability and privilege controls to harden containerized applications in production environments.

Progress0 / 4 steps

Create a Docker container using the alpine image

Write a Docker command to run a container named secure_container using the alpine image in interactive mode with a shell.

Docker

# Write the docker run command to start an alpine container named secure_container interactively
# Your code here

Need a hint?

Use docker run -it --name secure_container alpine sh to start an interactive shell in the alpine container.

Remove the NET_RAW capability from the container

Modify the Docker run command to drop the NET_RAW capability by adding the --cap-drop=NET_RAW option. Keep the container name secure_container and run interactively with shell.

Docker

docker run -it --name secure_container alpine sh
# Add --cap-drop=NET_RAW option to the docker run command above
# Your code here

Need a hint?

Add --cap-drop=NET_RAW to the docker run command to remove the NET_RAW capability.

Run the container without root privileges

Modify the Docker run command to run the container as a non-root user by adding the option --user 1000. Keep the container name secure_container, drop NET_RAW capability, and run interactively with shell.

Docker

docker run -it --name secure_container --cap-drop=NET_RAW alpine sh
# Add --user 1000 option to run container as non-root user
# Your code here

Need a hint?

Add --user 1000 to run the container as a non-root user with UID 1000.

Verify capabilities inside the container

Inside the running container, run id to confirm the non-root user and ping -c 1 127.0.0.1 to verify that NET_RAW is dropped (ping should fail with permission denied).

Docker

docker run -it --name secure_container --cap-drop=NET_RAW --user 1000 alpine sh
# Inside the container, run id and ping -c 1 127.0.0.1 to verify
# Your code here

Need a hint?

Use id to see the user (should show uid=1000) and ping -c 1 127.0.0.1 to test NET_RAW (should fail).