Menu
Say I run a container adding a capability, e.g. --cap-add=SYS_ADMIN
Is there a way to find out that this container has been assigned the SYS_ADMIN capability?
docker-inspect doesn't seem to return such information.
404
To list Docker containers, use the docker container ls command or its alias docker ps .
net_bind_service. This one's easy. If you have this capability, you can bind to privileged ports (e.g., those below 1024). If you want to bind to a port below 1024 you need this capability. If you are running a service that listens to a port above 1024 you should drop this capability.
You already answered your question, but to add another option: you might want to find the currently effective capabilities, regardless of which ones you have manually configured. https://github.com/riyazdf/dockercon-workshop/tree/master/capabilities mentions some utilities, which you would need to install inside the container. Example:
docker run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
