Docker Community Forums

Share and learn in the Docker community.

What capabilities are required for "ls /"

OS: circleCI machine ubuntu-1604:201903-01
Kernel: 4.15.0-1027-gcp #28~16.04.1-Ubuntu SMP
Image: archlinux:20200407

(1) $ docker --version
Docker version 18.09.3, build 774a1f4

(2) $ sudo -i docker run -d --memory 7168M --memory-swap 7168M --name arch -u 0:0 archlinux:20200407 /bin/sleep 1d
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
3d281ce849ff37d51b131eef9f012e1829cd4e7bd373d79ab696506f4eb2c339

(3) $ sudo -i docker exec -w / -i arch /bin/ls -Al /
/bin/ls: cannot access '/': Operation not permitted

(4) $ sudo -i docker exec -w / -i arch /bin/ls -Al
/bin/ls: cannot access 'home': Operation not permitted
/bin/ls: cannot access 'dev': Operation not permitted
/bin/ls: cannot access 'sys': Operation not permitted
/bin/ls: cannot access 'boot': Operation not permitted
/bin/ls: cannot access 'srv': Operation not permitted
/bin/ls: cannot access 'etc': Operation not permitted
/bin/ls: cannot access 'mnt': Operation not permitted
/bin/ls: cannot access 'usr': Operation not permitted
/bin/ls: cannot access 'var': Operation not permitted
/bin/ls: cannot access 'run': Operation not permitted
/bin/ls: cannot access 'lib64': Operation not permitted
/bin/ls: cannot access 'proc': Operation not permitted
/bin/ls: cannot access 'opt'total 0
l????????? ? ? ? ?            ? bin
d????????? ? ? ? ?            ? boot
d????????? ? ? ? ?            ? dev
-????????? ? ? ? ?            ? .dockerenv
d????????? ? ? ? ?            ? etc
d????????? ? ? ? ?            ? home
l????????? ? ? ? ?            ? lib
l????????? ? ? ? ?            ? lib64
d????????? ? ? ? ?            ? mnt
d????????? ? ? ? ?            ? opt
d????????? ? ? ? ?            ? proc
d????????? ? ? ? ?            ? root
d????????? ? ? ? ?            ? run
l????????? ? ? ? ?            ? sbin
d????????? ? ? ? ?            ? srv
d????????? ? ? ? ?            ? sys
d????????? ? ? ? ?            ? tmp
d????????? ? ? ? ?            ? usr
d????????? ? ? ? ?            ? var
: Operation not permitted
/bin/ls: cannot access 'root': Operation not permitted
/bin/ls: cannot access 'bin': Operation not permitted
/bin/ls: cannot access 'tmp': Operation not permitted
/bin/ls: cannot access 'sbin': Operation not permitted
/bin/ls: cannot access 'lib': Operation not permitted
/bin/ls: cannot access '.dockerenv': Operation not permitted

Why may I not access the root dir in (3)?
Why am I able to access the root dir in (4)?
Why are the usernames gone in (4)?
If I docker run --privileged then ls works fine. Is it suggesting that even a mere listing of files in root dir requires some --cap-add?