The docker compose file reference describes the cap_add and cap_drop elements in a rather terse fashion:

Add or drop container capabilities. See man 7 capabilities for a full list.

Do these elements have an order, that is, add first, then drop? Or does the order matter (is this supported in YAML at all for dictionaries?)?

What happens when one of cap_add or cap_drop contains ALL ?

Don’t have the answer, but also curious. Especially on
cap_add
- NET_ADMIN

I’ve found it out when I had a lucky streak with moby’s source code. Details answered here: https://stackoverflow.com/a/63219871

bottom line: order of cap add and drop is hardcoded (YAML doesn’t define any, thus same for CLI args), but varies depending on especially ALL. First matching case below terminates.

• container is privileged: true : ignore cap_add and cap_drop completely, return all available capabilities instead.
• both cap_add and cap_drop are empty : return the default Docker set of capabilities.
• cap_add contains ALL : return all capabilities minus the capabilities listed in cap_drop (ignores ALL in the latter).
• cap_drop contains ALL : return the capabilities from cap_add only, ignoring any Docker default capabilities.
• default: first drop all capabilites from the default set listed in cap_drop , then add the capabilities in cap_add , and finally return the result.