0
0
Dockerdevops~10 mins

Capabilities and privilege control in Docker - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Capabilities and privilege control
Start Container
Check Default Capabilities
Add or Drop Capabilities?
NoRun with Defaults
Yes
Apply Capability Changes
Check Privilege Mode
Run Container with Privilege or Restricted
Container Running with Defined Privileges
This flow shows how Docker starts a container, checks and modifies capabilities, and applies privilege controls before running the container.
Execution Sample
Docker
docker run --rm --cap-drop=CHOWN alpine sh -c 'touch /tmp/test && chown 65534 /tmp/test'

docker run --rm --privileged alpine sh -c 'touch /tmp/test && chown 65534 /tmp/test'
Runs two containers: one drops CHOWN capability, the other runs fully privileged, both attempting a privileged chown operation.
Process Table
StepCommandCapabilities SetPrivilege ModeActionOutput Summary
1docker run --rm --cap-drop=CHOWN alpine sh -c 'touch /tmp/test && chown 65534 /tmp/test'All default except CHOWN droppedDefault (not privileged)Container starts with reduced capabilitieschown fails with Operation not permitted
2docker run --rm --privileged alpine sh -c 'touch /tmp/test && chown 65534 /tmp/test'All capabilities grantedPrivileged mode enabledContainer starts with full privilegeschown succeeds
3ExitN/AN/AContainers stopped after commandNo running containers remain
💡 Containers exit after running chown command; privilege and capabilities affect command success.
Status Tracker
VariableStartAfter Step 1After Step 2Final
CapabilitiesAll defaultAll default minus CHOWNAll capabilities grantedN/A
Privilege ModeDefaultDefaultPrivilegedN/A
Container StateNot runningRunning (step 1)Running (step 2)Exited
Key Moments - 3 Insights
Why does dropping CHOWN capability affect the chown command?
Because chown requires CHOWN rights, dropping CHOWN removes permission to change ownership, as shown in step 1 of the execution_table.
What does running a container in privileged mode change?
Privileged mode grants all capabilities, allowing commands like chown full access, as seen in step 2 where the container runs with full privileges.
Does dropping capabilities stop the container from running?
No, the container still runs but with restricted permissions, demonstrated in step 1 where the container runs but with limited capabilities.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what capability is dropped in step 1?
AALL
BSYS_ADMIN
CCHOWN
DNET_ADMIN
💡 Hint
Check the 'Capabilities Set' column in step 1 of the execution_table.
At which step does the container run with full privileges?
AStep 2
BStep 1
CStep 3
DNone
💡 Hint
Look at the 'Privilege Mode' column in the execution_table.
If we remove the '--cap-drop=CHOWN' option, what changes in the output of the command?
ANo change, command still limited
BCommand succeeds without permission error
CContainer fails to start
DCommand output is empty
💡 Hint
Refer to the difference between step 1 and step 2 in the execution_table.
Concept Snapshot
Docker containers run with default Linux capabilities.
Use --cap-drop or --cap-add to remove or add capabilities.
--privileged mode grants all capabilities and full access.
Dropping capabilities restricts container actions without stopping it.
Privilege control helps secure containers by limiting permissions.
Full Transcript
This visual execution shows how Docker manages capabilities and privileges when running containers. First, a container runs with the CHOWN capability dropped, limiting ownership change commands like chown. Then, a container runs in privileged mode, granting all capabilities and full command access. The execution table tracks commands, capabilities, privilege modes, and outputs. Variables like capabilities and privilege mode change per step, affecting container behavior. Key moments clarify why dropping capabilities limits commands but does not stop containers, and how privileged mode grants full access. The quiz tests understanding of capability dropping, privilege mode, and command output differences. The snapshot summarizes how Docker uses capabilities and privilege controls to secure containers.