I need to run a container as non-root user by default. However a specific process inside this container needs to execute a binary that needs cap_net_admin capabilities (e.g: ip command).

I tried running the container with '--privileged' flag, assigning file capability cap_net_admin to 'ip' binary, as well as changing the group to the user's group. This did not work. What is the correct way to get this working?

# cat Dockerfile
FROM  ubuntu:21.04
RUN apt-get update
RUN apt-get install -f -y iproute2
RUN chgrp nogroup /bin/ip
RUN chmod g x /bin/ip
RUN setcap 'cap_net_admin epi' /bin/ip
USER nobody


# docker build .
Successfully built be565bc8f52d

# docker run --rm --user nobody  --privileged -it be565bc8f52d /bin/bash
nobody@9834cfaa833f:/$ getcap /bin/ip
/bin/ip cap_net_admin=eip
nobody@9834cfaa833f:/$ ls -lhrt /bin/ip
-rwxr-xr-x 1 root nogroup 626K Mar 17  2021 /bin/ip
nobody@9834cfaa833f:/$ groups nobody
nobody : nogroup
nobody@9834cfaa833f:/$  cat proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
nobody@9834cfaa833f:/$ ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted

Note: With older docker version, this was working with setcap and privileged flag. Probably it stopped working due to the fix for this CVE.

# docker --version
Docker version 20.10.14, build a224086

CodePudding user response：

Elaborating on my comment to the question, I think this is a problem with the ip code's attempt to suppress Ambient capabilities except in one specific command line case.

I've suggested a fix in this bug report: https://github.com/shemminger/iproute2/issues/62