How can I find out which capabilities a container has been given?

Question

Say I run a container adding a capability, e.g. --cap-add=SYS_ADMIN

Is there a way to find out that this container has been assigned the SYS_ADMIN capability?

docker-inspect doesn't seem to return such information.

score 6 · Answer 1 · answered Apr 25 '17 at 22:32

6

You already answered your question, but to add another option: you might want to find the currently effective capabilities, regardless of which ones you have manually configured. https://github.com/riyazdf/dockercon-workshop/tree/master/capabilities mentions some utilities, which you would need to install inside the container. Example:

docker run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'

answered Apr 25 '17 at 22:32

gesellix

2,574
24
23

3

On ubuntu-based distributions (on mine at least, based on Ubu 16.04) the package is `libcap2-bin` The command remains `capsh --print` of course :) Thanks, useful one! – Marcello Romani Apr 25 '17 at 23:07

score 5 · Answer 2 · answered Apr 25 '17 at 22:25

5

Ok, it is indeed true that posting a question on SO is often enough to find the answer for yourself.

docker-inspect <container_id>

[...]

"CapAdd": [
    "SYS_ADMIN"
],
"CapDrop": null,

[...]

answered Apr 25 '17 at 22:25

Marcello Romani

2,393
22
34

1

Following Macello's, use Go Template formatter: `docker inspect --format='{{.HostConfig.CapAdd}}' container_id`, `docker inspect --format='{{.HostConfig.CapDrop}}' container_id` – Quar Sep 24 '20 at 19:27

How can I find out which capabilities a container has been given?

2 Answers2