Assigning additional capabilities using a Docker file

dockerfile
docker-compose
docker run
docker run --entrypoint
docker run in background
docker build --cap-add
dockerfile tag
dockerfile arguments

I need to deploy the Docker image, but I only want to use the Docker run command without using any of its arguments.

I want to assign special permission while running the container.

This is my Docker run command:

docker run --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH ping

But I just want to use only:

docker run ping

What changes should I do in my Docker file? I cannot use Docker Compose (not my usecase).

My Docker file:

You can't do that. An image can't grant itself elevated privileges to control the system it runs on; only the administrator actually running the docker run can do that.

It's better to wrap this in something like a Docker Compose YAML file or a shell script that includes all of the required docker run arguments.

If you're trying to build a "helper command" via Docker, there's two things worth remembering. One is that everyone who can run Docker commands has unrestricted root privileges over the host; it's very hard to stop someone from docker run -v /:/host -u root ... and getting unrestricted access to the host's filesystem. Another is that there are many Docker options like this (including setting environment variables, volume mounts, and publishing ports) that are set extremely routinely, so it's hard to build an image where just docker run imagename on its own brings up the image with full functionality.

Docker run reference, When you run an image and generate a container, you add a new writable layer Docker has the ability to build images by piping Dockerfile through stdin with a Users and groups in an image are assigned a non-deterministic UID/GID in  The requirement is to add additional loopback interfaces to assign additional IP addresses – VanagaS Aug 4 '16 at 18:49 Adding capabilities to a running container would be nice. Also necessary if you need to start using iptables, for example. – jjmontes Oct 14 '16 at 3:44

Write a script like /usr/local/sbin/docker-ping.sh:

#!/bin/sh

docker run --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH ping

Then another script, /usr/local/bin/docker-ping:

#!/bin/sh

sudo /usr/local/sbin/docker-ping.sh

And finally modify sudo appropriately.

Best practices for writing Dockerfiles, For information about features available in Edge releases, see the Edge release notes. Stop the running nginx container by the name we assigned it, webserver : Docker may periodically prompt you for more information. If a drive is not shared with a Linux container you may get file not found or cannot start service  It has been a while since I wrote the first two articles in my series on Docker security. This article will give an update on what has been added to Docker since then and cover new functionality that is going through the merge process with upstream Docker. Adjusting Capabilities

If exist the docker group into the system, probably you don't need to use sudo command. As described on this link, append the group docker, and add your user to the group. That will avoid to use sudo. I have just tested other privileged commands and they worked without any issue for me. Repeating the steps into the above link:

sudo groupadd docker
sudo usermod -aG docker $USER

The docker daemon should be restarted to make effect the above, or restart the machine.

By the way, the focus of your question, the best option is to launch with a shell script as far as I know. It is good the approach indicated previously, but I would write this other one which allow pass arbitrary parameters and is more generic for any command you could need.

File: privileged-wrapper.sh

#!/bin/bash
IMAGE_NAME="your_image_name"
BINARY="$0"
BINARY="${BINARY#./}"
docker run --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH --rm "$IMAGE_NAME" "$BINARY" "$@"

And now, you can create so many symbolic links as commands you need for those capabilities (keep in mind that the name of the symbolic link is the command to be launched into the container). It is expected the command to be launched is found into the PATH.

chmod a+x privileged-wrapper.sh
ln -svf privileged-wrapper.sh ping

Finally just launch:

./ping -c 10

Get started with Docker for Windows, This page describes the commands you can use in a Dockerfile . To tag the image into multiple repositories after the build, add multiple -t parameters If you want to benefit from experimental features, you should use the experimental channel. index assigned for all previous build stages started with FROM instruction. Docker build is the Docker engine command that consumes a Dockerfile and triggers the image creation process. This topic will show you how to use Dockerfiles with Windows containers, understand their basic syntax, and what the most common Dockerfile instructions are.

Dockerfile reference, In addition containers (unlike in a virtual machines) share kernel with the host, therefore kernel exploit Equivalent in docker-compose file is somethink like this​: to harden your docker containers, or add some capabilities (using --cap-add ) if needed. You can also do this inside Kubernetes: Assign Memory Resources to  Docker Compose tool is used to define and start running multi-container Docker applications. Configuration is as easy,there would be YAML file to configure your application’s services/networks/volumes etc., Then, with a single command, you can create and start all the services from the compose configuration.

Docker Security Cheat Sheet, Docker comes with sensible security features baked in. However, if you're using unofficial images, serving files, or running apps in production, then the story is Second, adjust capabilities with --cap-drop and --cap-add . Docker objects. When you use Docker, you are creating and using images, containers, networks, volumes, plugins, and other objects. This section is a brief overview of some of those objects. Images. An image is a read-only template with instructions for creating a Docker container. Often, an image is based on another image, with some additional

Top 20 Docker Security Tips, hostname - (Optional) The hostname to assign to the container. When launching more than one of a task (using count ) with this option set, every load - (​Optional) Load an image from a tar archive file instead of from a remote repository. If you don't rely on nomad log capabilities and exclusively use host based log  Use this syntax to build an image using files from a remote git repository, using a Dockerfile from stdin. The syntax uses the -f (or --file ) option to specify the Dockerfile to use, using a hyphen ( - ) as filename to instruct Docker to read the Dockerfile from stdin :

Comments
  • The Imgur image link is broken (though it may or may not be due to a temporary outage). Use the opportunity to post the text instead. Thanks in advance.
  • What do you mean by modifying sudo?
  • You can configure sudo to only allow the user to run a specific command. The normal configuration would allow the user to run all commands which would allow the user to run arbitrary docker commands. Appropriate sudo configuration would allow the user to only run '/usr/local/sbin/docker-ping.sh'