Docker-Compose: order of cap_drop and cap_add?

thediveo · January 29, 2021, 10:26am

I’ve found it out when I had a lucky streak with moby’s source code. Details answered here: https://stackoverflow.com/a/63219871

bottom line: order of cap add and drop is hardcoded (YAML doesn’t define any, thus same for CLI args), but varies depending on especially ALL. First matching case below terminates.

container is privileged: true : ignore cap_add and cap_drop completely, return all available capabilities instead.
both cap_add and cap_drop are empty : return the default Docker set of capabilities.
cap_add contains ALL : return all capabilities minus the capabilities listed in cap_drop (ignores ALL in the latter).
cap_drop contains ALL : return the capabilities from cap_add only, ignoring any Docker default capabilities.
default: first drop all capabilites from the default set listed in cap_drop , then add the capabilities in cap_add , and finally return the result.

Topic		Replies	Views
Docker stack ignores cap_add and privileged option within compose file Docker Hub	2	12588	October 18, 2017
[rootless] Compose ignoring cap add NET_ADMIN while docker run works Compose	4	5721	August 6, 2023
Cap_add has been removed, what is the alternate? General docker	2	2165	August 26, 2019
Issue with compose and ssh Compose	0	679	December 20, 2020
Docker-compose seems to be ignoring cap_add: NET_ADMIN Docker Hub docker	2	39755	September 21, 2020

Docker-Compose: order of cap_drop and cap_add?

Related topics