I am using Docker in lxc mode (i.e. starting the daemon with “-e lxc” option) to be able to assign fixed IP addresses to containers.
I tought I would replace the dreaded “–privileged” option with “–cap-add” instead to increase the security level. However, it does not seem to work.
I get the following:
docker run --cap-add=NET_ADMIN -t -i -P fedora bash
2014/09/12 13:07:34 drop capabilities operation not permitted
lxc-start: The container failed to start.
lxc-start: Additional information can be obtained by setting the --logfile and --log-priority options.
Using “–cap-add=ALL” gives the same error message.
Using “–cap-add=MKNOD” or “–cap-add=CHOWN” instead, the container starts without errors.
Is it a bug or is the cap-add feature not completely compatible with the lxc mode for network capabilities?
I am working on a Fedora 20 system.
Thanks for any inputs.