I run processes within my containers as a non-privileged user using the --user - option of docker run (or the USER option in Dockerfile). Following the example on [https://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/], capabilities are correctly dropped in version 1.10.2:
wuebbel@topf:~/docker/proto$ docker -v
Docker version 1.10.2, build c3959b1
wuebbel@topf:~/docker/proto$ docker run -u 3267 fedora grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Recently, we upgraded one server to Ubuntu 16.04 and the docker version to 1.12.2 (from docker repository). On this server, no capabilties are dropped for exactly the same lines:
CBM8032% docker -v
Docker version 1.12.2, build bb80604
CBM8032% docker run -u 3267 fedora grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 00000000a80425fb
As you would expect, the ordinary user 3267 now has root capabilities inside this container:
CBM8032% docker run -t -i -u 3267 fedora /bin/sh
sh-4.3$ touch x
sh-4.3$ ls -l x
-rw-r--r-- 1 3267 root 0 Oct 21 12:33 x
sh-4.3$ id
uid=3267 gid=0(root) groups=0(root)
sh-4.3$ chown root x
sh-4.3$ ls -l x
-rw-r--r-- 1 root root 0 Oct 21 12:33 x
sh-4.3$ exit
I think I missed a change in capability management somewhere. Could someone enlighten me as to how I restore the old behavior?
Best wishes, Frank