I am trying to run a container as a non-root user with capabilities.
In my Dockerfile I add (centos7 based):

setcap cap_chown+ep /usr/bin/chown

Then I execute it as such:

$ docker container run --rm -it --cap-add chown -u nobody my-image chown nobody /
chown: /: Operation not permitted

Does docker support adding capabilities to non-root users?

I am replying my own thread: this worked:

# cat Dockerfile
FROM centos:7
RUN setcap cap_chown+ie /usr/bin/chown
RUN useradd blah
RUN useradd tester
 
# docker build -t chown-image:1.0.0 .
 
# docker container run --rm -it -u blah chown-image:1.0.0 bash
[blah@55cdc998b62e /]$ whoami
blah
[blah@55cdc998b62e /]$ touch file.txt
[blah@55cdc998b62e /]$ ls -al file.txt
-rw-r--r-- 1 blah blah 0 Oct  2 19:35 file.txt
[blah@55cdc998b62e /]$ chown blah:tester file.txt
[blah@55cdc998b62e /]$ ls -al file.txt
-rw-r--r-- 1 blah tester 0 Oct  2 19:35 file.txt

I stumbled upon the same thing, but I couldn’t reason out why the cap_chown+ep fails,

As I per my vague understanding, as the effective bit is set the ‘permitted’ capabilities should move to ‘effective’ capabilities, so I expected this to work, but it didn’t anyone care to explain why?