From 856a50e733ec5ef5cc71f837bed001fee20c7458 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Wed, 28 Sep 2016 13:46:11 +0100 Subject: [PATCH] Add support for ambient capabilities Linux kernel 4.3 and later supports "ambient capabilities" which are the only way to pass capabilities to containers running as a non root uid. Previously there was no way to allow containers not running as root capabilities in a useful way. Fix #8460 Signed-off-by: Justin Cormack --- docs/reference/run.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/reference/run.md b/docs/reference/run.md index 375c0c1538..82bffc1537 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1220,6 +1220,10 @@ since Docker 1.12. In Docker 1.10 and 1.11 this did not happen and it may be nec to use a custom seccomp profile or use `--security-opt seccomp=unconfined` when adding capabilities. +It is only possible to grant capabilities to a container running as a user other than `root` +on a system with a Linux kernel version of 4.3 or later, as this requires "ambient capabilities" +to be granted. These will be added if the kernel allows it from Docker version 1.13. + ## Logging drivers (--log-driver) The container can have a different logging driver than the Docker daemon. Use