2021-01-06 17:12

Add NET_ADMIN capability in build/Dockerfile/docker-compose up

Description It is possible to add the NET_ADMIN capability when running a docker container, using --cap-add=NET_ADMIN. However, I need to get these capabilities when building my container via docker build (from a Dockerfile), or when running a bunch of serivces using docker-compose up. Any idea?

Steps to reproduce the issue: No reproduction path needed.

Describe the results you received: Getting permission denied for the specific use case (iptables).

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

 Version:   17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:03:51 2017
 OS/Arch:   darwin/amd64

  Version:  17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:    Wed Dec 27 20:12:29 2017
  OS/Arch:  linux/amd64
  Experimental: true

Output of docker info:

Containers: 64
 Running: 0
 Paused: 0
 Stopped: 64
Images: 239
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
  Profile: default
Kernel Version: 4.9.60-linuxkit-aufs
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 1.952GiB
Name: linuxkit-025000000001
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 23
 Goroutines: 47
 System Time: 2018-02-26T15:13:00.210278832Z
 EventsListeners: 2
HTTP Proxy: docker.for.mac.http.internal:3128
HTTPS Proxy: docker.for.mac.http.internal:3129
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.): Using MacOS High Sierra.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39906499 weixin_39906499 4月前

    Containers used during build use the default restrictions; additional permissions could result in containers making changes in the host configuration.

    Do you have more information about what you're trying to run as part of your build that requires additional capabilities? (You mention configuring iptables during build, perhaps you can describe the use-case a bit more in depth)

    点赞 评论 复制链接分享
  • weixin_39554434 weixin_39554434 4月前

    I'm trying to direct traffic from port 80 to port 8080. So this:

    RUN sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

    But then I get the permission denied error upon building. Thank you for your response.

    点赞 评论 复制链接分享
  • weixin_39906499 weixin_39906499 4月前

    Is that rule needed during build, or when the image is run? When running the image you'd already be able to map ports (e.g. -p 8080:80); also, iptables does not preserve state, and given that each RUN is executed in a new container, that rule would only be set for that RUN, but no longer available in each RUN afterwards.

    点赞 评论 复制链接分享
  • weixin_39554434 weixin_39554434 4月前

    completely forgot about this! Funny how you're trying to do advanced stuff with Docker and forgetting the very basics.

    Thanks, this can be closed.

    点赞 评论 复制链接分享
  • weixin_39906499 weixin_39906499 4月前

    No worries, thanks!

    点赞 评论 复制链接分享
  • weixin_39924674 weixin_39924674 4月前

    Hi, Follow-up on your Q&A... What about if I want to create a Network device inside the container? For example: RUN ip link add dev wg0 type wireguard Thanks

    点赞 评论 复制链接分享
  • weixin_39963096 weixin_39963096 4月前

    As mentioned here this configuration would not be available for the next layer of the build.

    I had a similar issue, and ended up adding a script to the container to be executed at run-time.

    点赞 评论 复制链接分享