Menu
Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started?
I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now.
I'm looking for an option, if it is possible to give this capability somehow to this container.
372
Here is the current list of capabilities that Docker uses: chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write. It is continuously argued back and forth which capabilities should be allowed or denied by default.
Use a process manager which can run multiple processes: You can set the container's entrypoint to a specialised program which is capable of running and managing multiple processes. One example of this is supervisord. You can use supervisord as your container entrypoint, which will then load the services that you need.
VanagaS
1.Stop Container:
docker stop yourcontainer;
2.Get container id:
docker inspect yourcontainer;
3.Modify hostconfig.json(default docker path:/var/lib/docker, you can change yours)
vim /var/lib/docker/containers/containerid/hostconfig.json
4.Search "CapAdd", and modify null to ["NET_ADMIN"];
....,"VolumesFrom":null,"CapAdd":["NET_ADMIN"],"CapDrop":null,....
5.Restart docker in host machine;
service docker restart;
6.Start yourconatiner;
docker start yourcontainer;
it work for me, enjoy it.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
