How to add a --cap-add parameter to a Dockerfile?

I’m starting to learn docker

I’m trying to make this Dockerfile

FROM ubuntu
LABEL mainter
RUN apt update
RUN apt install iptables -y
RUN apt install ppp pptpd -y
RUN apt install vim -y
RUN sed -i -e '$alocalip' /etc/pptpd.conf
RUN sed -i -e '$aremoteip' /etc/pptpd.conf
RUN sed -i -e '$anet.ipv4.ip_forward=1' /etc/sysctl.conf
RUN iptables -A INPUT -p gre -j ACCEPT
RUN iptables -A INPUT -m tcp -p tcp --dport 1723 -j ACCEPT
RUN iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
RUN iptables -A INPUT -s -j ACCEPT
RUN iptables -I INPUT -s -j ACCEPT
RUN service pptpd restart


But I get an error at step RUN iptables -A INPUT -p gre -j ACCEPT
The reason for this is the lack of privileges in particular NET_ADMIN

How to add a --cap-add parameter to a Dockerfile?

An image is supposed to encapsulate an application or service, its dependencies, config files and more or less clever entrypoint script and is usuallly based on a base image, which itself is a minimal set of binaries, libraries and config files that make up a specific distribution. Though, base images are not full operating systems, and they do not provide systemd.

You can not persist (in memory) runtime state in an image. Each RUN instruction results in a new image layer, which is run in a separate build container. The iptables and service lines in your Dockerfile don’t make sense, as they wouldn’t end up in the image anyway.

A container created from an image does not have its own kernel, does not boot, does not run system services… it only executes whatever is declared as ENTRYPOINT with CMD (if additionally declared) as argument to ENTRYPOINT, or if only CMD is specified whatever is declared as CMD. A container is just an isolated process on the host…

If you want to learn about docker concepts and how things are done with Docker, I can highly recommend this free self-paced docker training: Introduction to Containers