I run processes within my containers as a non-privileged user using the --user - option of docker run (or the USER option in Dockerfile). Following the example on [https://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/], capabilities are correctly dropped in version 1.10.2:
wuebbel@topf:~/docker/proto$ docker -v Docker version 1.10.2, build c3959b1 wuebbel@topf:~/docker/proto$ docker run -u 3267 fedora grep Cap /proc/self/status CapInh: 00000000a80425fb CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 00000000a80425fb CapAmb: 0000000000000000
Recently, we upgraded one server to Ubuntu 16.04 and the docker version to 1.12.2 (from docker repository). On this server, no capabilties are dropped for exactly the same lines:
CBM8032% docker -v Docker version 1.12.2, build bb80604 CBM8032% docker run -u 3267 fedora grep Cap /proc/self/status CapInh: 00000000a80425fb CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb CapAmb: 00000000a80425fb
As you would expect, the ordinary user 3267 now has root capabilities inside this container:
CBM8032% docker run -t -i -u 3267 fedora /bin/sh sh-4.3$ touch x sh-4.3$ ls -l x -rw-r--r-- 1 3267 root 0 Oct 21 12:33 x sh-4.3$ id uid=3267 gid=0(root) groups=0(root) sh-4.3$ chown root x sh-4.3$ ls -l x -rw-r--r-- 1 root root 0 Oct 21 12:33 x sh-4.3$ exit
I think I missed a change in capability management somewhere. Could someone enlighten me as to how I restore the old behavior?
Best wishes, Frank