From 4e58c29513bd0e37b1a58c980593cddb5ab69c5d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 16 Sep 2020 15:32:04 +0200 Subject: [PATCH] docs: document optional "CAP_" prefix for capabilities Signed-off-by: Sebastiaan van Stijn --- docs/reference/run.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/reference/run.md b/docs/reference/run.md index 75647a1b51..ab86ad1381 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1332,13 +1332,21 @@ The next table shows the capabilities which are not granted by default and may b Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) -Both flags support the value `ALL`, so if the -operator wants to have all capabilities but `MKNOD` they could use: +Both flags support the value `ALL`, so to allow a container to use all capabilities +except for `MKNOD`: ```bash $ docker run --cap-add=ALL --cap-drop=MKNOD ... ``` +The `--cap-add` and `--cap-drop` flags accept capabilities to be specified with +a `CAP_` prefix. The following examples are therefore equivalent: + +```bash +$ docker run --cap-add=SYS_ADMIN ... +$ docker run --cap-add=CAP_SYS_ADMIN ... +``` + For interacting with the network stack, instead of using `--privileged` they should use `--cap-add=NET_ADMIN` to modify the network interfaces.