how to setcap for a binary file in docker image

Question

I want to set capabilities for some binary files in my docker image so that i can execute them in a container with a non-root user, i have tried to setcap in my dockerfile:dockerfile, then i built this image with docker build: docker build, but when i created a container with this image, i can not find any capability set for the file: no capability. Is this a docker bug? Or is there any other way to set capabilities for files in docker image?

Answer 1

I take cap_net_admin and ip as an example.

In the Dockerfile below, /bin/ip have granted the cap_net_admin permition.

FROM debian

RUN useradd -m alice -s /bin/bash \
    && setcap cap_net_admin+ep /bin/ip

USER alice
CMD ["/bin/ip", "link", "show"]

But after built, it seems not working.

$ docker build -t cap .
$ docker run --rm cap
standard_init_linux.go:219: exec user process caused: operation not permitted

That's because the Docker runtime limit the permition. If you really want to do that, --cap-add is necessary.

$ docker run --rm --cap-add=cap_net_admin cap
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0

In K8s, you may need something like this:

spec:
  containers:
  - name: cap-test
    image: cap
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]

References

• Runtime privilege and Linux capabilities
• Configure a Security Context for a Pod or Container | Kubernetes

Answer 2

please make sure that do not setcap on your base image(parent Dockerfile)