How do I get setcap to work in Docker container?

March 23, 2016 2.7k views


I have a sample Dockerfile I would like help in getting working:

FROM alpine:3.3
RUN apk add --update libcap && rm -rf /var/cache/apk/*
RUN setcap 'cap_net_bind_service=+ep' /bin/false

I receive the following output when attempting to build this image:

Failed to set capabilities on file `/bin/false' (Invalid argument)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
The command '/bin/sh -c setcap 'cap_net_bind_service=+ep' /bin/false' returned a non-zero code: 1

I've tried the same thing using a Docker container based on a Ubuntu image.

From what I can gather this is due to a kernel feature not being enabled. I've spent a few hours but unfortunately I haven't been able to figure out how to make this work.

More information can be found here:

The same build functions correctly on a few other servers I use. I need this feature because I would like to run the Caddy web server in a Docker container without root privileges.

Be the first one to answer this question.