Say I run a container adding a capability, e.g. --cap-add=SYS_ADMIN
Is there a way to find out that this container has been assigned the SYS_ADMIN
capability?
docker-inspect
doesn't seem to return such information.
Say I run a container adding a capability, e.g. --cap-add=SYS_ADMIN
Is there a way to find out that this container has been assigned the SYS_ADMIN
capability?
docker-inspect
doesn't seem to return such information.
You already answered your question, but to add another option: you might want to find the currently effective capabilities, regardless of which ones you have manually configured. https://github.com/riyazdf/dockercon-workshop/tree/master/capabilities mentions some utilities, which you would need to install inside the container. Example:
docker run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'
Ok, it is indeed true that posting a question on SO is often enough to find the answer for yourself.
docker-inspect <container_id>
[...]
"CapAdd": [
"SYS_ADMIN"
],
"CapDrop": null,
[...]