"RTNETLINK answers: Operation not permitted" during `docker build`

Question

I want to build a Docker image with latency+loss on some localhost ports using tc and netem.
The tc command works on a regular vm, but not in the Dockerfile.

Here's my Dockerfile:

FROM ubuntu:16.04

RUN DEBIAN_FRONTEND="noninteractive" \
    apt-get update --fix-missing && \
    apt-get -y install \
    apt-utils \
    software-properties-common \
    iproute2

RUN tc qdisc add dev lo root handle 1: htb

I attempt to build it with this command:

docker build .

But it fails on the RUN command with this error:

Step 3/3 : RUN tc qdisc add dev lo root handle 1: htb
 ---> Running in 59b27236040b
RTNETLINK answers: Operation not permitted

I found this, but my problem occurs during docker build, not docker run. There is no way for me to specify --cap-add because that is not an option for docker build.

Answer 1

As one of the comments said, it does not make sense to RUN a tc command during the build phase.

The workaround I used was:

1. Add permissions for tc in the container (if the eventual container user is not root), but don't actually RUN any of the tc commands in the Dockerfile.
2. Build the container as normal.
3. Run the container, adding --cap-add=NET_ADMIN
4. From inside the running container, execute the tc commands.