I want to set capabilities for some binary files in my docker image so that i can execute them in a container with a non-root user, i have tried to setcap in my dockerfile:dockerfile, then i built this image with docker build: docker build, but when i created a container with this image, i can not find any capability set for the file: no capability. Is this a docker bug? Or is there any other way to set capabilities for files in docker image?
how to setcap for a binary file in docker image
6.7k Views Asked by Angelina At
2
There are 2 best solutions below
0
On
I take cap_net_admin and ip as an example.
In the Dockerfile below, /bin/ip have granted the cap_net_admin permition.
FROM debian
RUN useradd -m alice -s /bin/bash \
&& setcap cap_net_admin+ep /bin/ip
USER alice
CMD ["/bin/ip", "link", "show"]
But after built, it seems not working.
$ docker build -t cap .
$ docker run --rm cap
standard_init_linux.go:219: exec user process caused: operation not permitted
That's because the Docker runtime limit the permition.
If you really want to do that, --cap-add is necessary.
$ docker run --rm --cap-add=cap_net_admin cap
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
In K8s, you may need something like this:
spec:
containers:
- name: cap-test
image: cap
securityContext:
capabilities:
add: ["NET_ADMIN"]
please make sure that do not setcap on your base image(parent Dockerfile)