Complete the command to run a Docker container with the NET_ADMIN capability added.
docker run --cap-add=[1] alpine ip linkThe --cap-add=NET_ADMIN option adds the network administration capability to the container, allowing commands like ip link to work.
Complete the command to run a Docker container in privileged mode.
docker run [1] alpine ls /rootThe --privileged flag gives the container all capabilities and lifts many restrictions, allowing full access to the host.
Fix the error in the command to drop the CHOWN capability from a container.
docker run --cap-drop=[1] alpine whoamiThe --cap-drop=CHOWN option removes the capability to change file ownership inside the container.
Fill both blanks to run a container with the SYS_TIME capability added and the NET_RAW capability dropped.
docker run --cap-add=[1] --cap-drop=[2] alpine date
--cap-add=SYS_TIME allows changing the system clock inside the container. --cap-drop=NET_RAW removes raw network access capability.
Fill all three blanks to run a container that adds the SYS_ADMIN capability, drops the MKNOD capability, and disables new privileges.
docker run --cap-add=[1] --cap-drop=[2] --security-opt=[3] alpine bash
--cap-add=SYS_ADMIN grants administrative capabilities. --cap-drop=MKNOD removes the ability to create device files. --security-opt=no-new-privileges prevents privilege escalation inside the container.