Docker - Security
You want to run a container that can modify network settings but nothing else. Which command best limits privileges to only what is needed?
You want to run a container that can modify network settings but nothing else. Which command best limits privileges to only what is needed?
hard📝 Best Practice Q15 of 15
Step-by-Step Solution
Solution:
Step 1: Understand the goal
The container should only have network admin rights, no other privileges.Step 2: Evaluate options
docker run --cap-drop ALL --cap-add NET_ADMIN myimage drops all capabilities then adds only NET_ADMIN, perfectly limiting privileges.Step 3: Why others are wrong
--privilegedgrants full privileges,--cap-add ALLadds all capabilities (too much),--cap-drop NET_ADMINremoves NET_ADMIN (opposite of goal).Final Answer:
docker run --cap-drop ALL --cap-add NET_ADMIN myimage -> Option CQuick Check:
Drop all then add needed cap = minimal privileges [OK]
Quick Trick: Drop all caps, then add only needed ones [OK]
Common Mistakes:
- Using --privileged which grants too many rights
- Adding all capabilities instead of limiting
- Dropping the needed capability by mistake
Master "Security" in Docker
Want More Practice?
15+ quiz questions · All difficulty levels · Free
Free Signup - Practice All QuestionsMore Docker Quizzes