Reputation: 3698
How can we add capabilities to a running docker container?
Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started?
I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now.
I'm looking for an option, if it is possible to give this capability somehow to this container.
Upvotes: 21
Views: 25152
Answers (4)
Reputation: 1
I hope this response will help someone, in 2022 try this instead: start the container with the option: --cap-add=NET_ADMIN docker run .. -cap-ad=NET_ADMIN ....
Upvotes: -4
Reputation: 434
Stop the container:
docker stop your-containerGet the container's ID:
docker inspect your-containerModify its
hostconfig.jsonfile, found by default in/var/lib/docker:vim /var/lib/docker/containers/ID/hostconfig.jsonSearch for "
CapAdd" and change its value (nullby default) to whatever you need:...,"CapAdd":["NET_ADMIN"],"CapDrop":null,...Restart the docker daemon on the host to make it reload the container configuration:
service docker restartRestart your container:
docker start your-container
Upvotes: 18
Reputation: 264721
No, you cannot modify the capabilities of a running container. These can only be defined when you first create or run (which is just a create+start) the container. You'll need to create a new container with the desired capabilities.
I should point out that you can assign additional network interfaces to a running container with docker network connect, but I'm not aware of any loopback drivers you could use to solve your issue using this technique.
Upvotes: 10
Reputation: 968
you can run commands inside a running container using docker exec -it {container_id} /bin/bash.
It will create a bash for you that you can run commands with. but generally it's not a good practice to have modifications on image states since it removes the portability of images.
Upvotes: -7
Related Questions
- Docker : How to avoid Operation not permitted in Docker Container?
- running a container with runAsNonRoot and add capabilities
- Assigning additional capabilities using a Docker file
- Privileged containers and capabilities
- Allow non-root user of container to execute binaries that need capabilities
- docker dropping capabilities not working as expected?
- How can I add the `--privileged` flag of Docker to a Kubernetes pod spec container YAML definition
- how can a docker container check if it has a capability
- privileged docker container cannot drop capabilities?
- How can I find out which capabilities a container has been given?