Cli: Add NET_ADMIN capability in build/Dockerfile/docker-compose up

Created on 26 Feb 2018  路  7Comments  路  Source: docker/cli

Description
It is possible to add the NET_ADMIN capability when running a docker container, using --cap-add=NET_ADMIN. However, I need to get these capabilities when building my container via docker build (from a Dockerfile), or when running a bunch of serivces using docker-compose up. Any idea?

Steps to reproduce the issue:
No reproduction path needed.

Describe the results you received:
Getting permission denied for the specific use case (iptables).

Describe the results you expected:
-

Additional information you deem important (e.g. issue happens only occasionally):
-

Output of docker version:

Client:
 Version:   17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:03:51 2017
 OS/Arch:   darwin/amd64

Server:
 Engine:
  Version:  17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:    Wed Dec 27 20:12:29 2017
  OS/Arch:  linux/amd64
  Experimental: true

Output of docker info:

Containers: 64
 Running: 0
 Paused: 0
 Stopped: 64
Images: 239
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.60-linuxkit-aufs
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 1.952GiB
Name: linuxkit-025000000001
ID: JH3W:45M7:HB2B:JFSM:BU4G:PPDT:Z4SU:PZNG:LDFM:PHX4:XN2W:H6RU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 23
 Goroutines: 47
 System Time: 2018-02-26T15:13:00.210278832Z
 EventsListeners: 2
HTTP Proxy: docker.for.mac.http.internal:3128
HTTPS Proxy: docker.for.mac.http.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):
Using MacOS High Sierra.

arebuilder platfordesktop
Source
picture arielweinberger
1

Most helpful comment

Hi,
Follow-up on your Q&A...
What about if I want to create a Network device inside the container?
For example:
RUN ip link add dev wg0 type wireguard
Thanks

picture chinobit on 1 Jan 2019
👍71

All 7 comments

Containers used during build use the default restrictions; additional permissions could result in containers making changes in the host configuration.

Do you have more information about what you're trying to run as part of your build that requires additional capabilities? (You mention configuring iptables during build, perhaps you can describe the use-case a bit more in depth)

thaJeztah picture thaJeztah on 26 Feb 2018

@thaJeztah I'm trying to direct traffic from port 80 to port 8080.
So this:

RUN sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

But then I get the permission denied error upon building. Thank you for your response.

arielweinberger picture arielweinberger on 26 Feb 2018

Is that rule needed during build, or when the image is _run_? When running the image you'd already be able to map ports (e.g. -p 8080:80); also, iptables does not preserve state, and given that each RUN is executed in a new container, that rule would only be set for that RUN, but no longer available in each RUN afterwards.

thaJeztah picture thaJeztah on 26 Feb 2018

@thaJeztah completely forgot about this! Funny how you're trying to do advanced stuff with Docker and forgetting the very basics.

Thanks, this can be closed.

arielweinberger picture arielweinberger on 27 Feb 2018

No worries, thanks!

thaJeztah picture thaJeztah on 27 Feb 2018

Hi,
Follow-up on your Q&A...
What about if I want to create a Network device inside the container?
For example:
RUN ip link add dev wg0 type wireguard
Thanks

chinobit picture chinobit on 1 Jan 2019
👍71

@chinobit

As mentioned here this configuration would not be available for the next layer of the build.

I had a similar issue, and ended up adding a script to the container to be executed at run-time.

hoosierEE picture hoosierEE on 12 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

johanneswuerbach picture johanneswuerbach  路  4Comments
kinghuang picture kinghuang  路  4Comments
dpyro picture dpyro  路  4Comments
dnephin picture dnephin  路  3Comments
devmishrs picture devmishrs  路  3Comments