Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: document optional "CAP_" prefix for capabilities 

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2020-09-16 15:32:04 +02:00
parent 5bbdcd1c9d
commit 4e58c29513
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/reference/run.md
View File

@ -1332,13 +1332,21 @@ The next table shows the capabilities which are not granted by default and may b
Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
Both flags support the value `ALL`, so if the
operator wants to have all capabilities but `MKNOD` they could use:
Both flags support the value `ALL`, so to allow a container to use all capabilities
except for `MKNOD`:
```bash
$ docker run --cap-add=ALL --cap-drop=MKNOD ...
```
The `--cap-add` and `--cap-drop` flags accept capabilities to be specified with
a `CAP_` prefix. The following examples are therefore equivalent:
```bash
$ docker run --cap-add=SYS_ADMIN ...
$ docker run --cap-add=CAP_SYS_ADMIN ...
```
For interacting with the network stack, instead of using `--privileged` they
should use `--cap-add=NET_ADMIN` to modify the network interfaces.