moby: setcap is not supported in Docker?

Here is the problem,

root@25ef774c3905:/home/vcap# setcap cap_net_bind_service=+ep /tmp/setcaptest 
Failed to set capabilities on file `/tmp/setcaptest' (Operation not supported)

OS type of my container is Ubuntu 10.04.4 LTS run with --privileged, and it’s running on:

Linux 25ef774c3905 3.8.0-38-generic #56~precise1-Ubuntu SMP Thu Mar 13 16:22:48 UTC 2014 x86_64 GNU/Linux

I also tried Ubuntu12.04 container, it reports the same error, so is it true that Docker dose not support setcap command yet?

About this issue

Original URL
State: closed
Created 10 years ago
Comments: 24 (18 by maintainers)

Links to this issue

How do you feel about setting net.ipv4.ip_unprivileged_port_start=0 to let you bind to ports like 80 / 443 if your container runs as a non-root user?

Commits related to this issue

Skip setcap on docker. See docker/docker#5650 — committed to hsheth2/gonet by hsheth2 8 years ago

Most upvoted comments

I used https://github.com/scionproto/docker-caps

FROM scionproto/docker-caps as caps
FROM node:12-buster-slim

COPY --from=caps /bin/setcap /bin
# Allow non-root users to bind to port 80 via node apps
RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/node

MartinMuzatko on Sep 10, 2020

@CsterKuroi the version of aufs on Ubuntu 14.04 / kernel 3.13 is probably too old. You can try switching to their newer kernels; Ubuntu 14.04.5 also allows you to run with kernel 4.4; https://wiki.ubuntu.com/Kernel/Support

I tested this on Ubuntu 16.04, and looks to work there;

Linux ubuntu-2gb-ams3-01 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ docker run ubuntu setcap cap_net_bind_service=+ep /bin/true
$

thaJeztah on Mar 1, 2017