16

Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started?

I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now.

I'm looking for an option, if it is possible to give this capability somehow to this container.

tomix86
  • 1,336
  • 2
  • 18
  • 29
VanagaS
  • 3,130
  • 3
  • 27
  • 41
  • A loopback interface is included by default in a container, even if you were to start one up without a network. What options did you use to start yours without one? – BMitch Aug 04 '16 at 17:51
  • The requirement is to add additional loopback interfaces to assign additional IP addresses – VanagaS Aug 04 '16 at 18:49
  • Adding capabilities to a running container would be nice. Also necessary if you need to start using iptables, for example. – jjmontes Oct 14 '16 at 03:44
  • Docker isn't really made with productive systems in mind, it can work great within it's abilities but you will often find problems the developers did not care about. This is one of them, you can't do it without restarting your container. – John Nov 29 '21 at 22:15

4 Answers4

15

  1. Stop the container:

    docker stop your-container

  2. Get the container's ID:

    docker inspect your-container

  3. Modify its hostconfig.json file, found by default in /var/lib/docker:

    vim /var/lib/docker/containers/ID/hostconfig.json

  4. Search for "CapAdd" and change its value (null by default) to whatever you need:

    ...,"CapAdd":["NET_ADMIN"],"CapDrop":null,...

  5. Restart the docker daemon on the host to make it reload the container configuration:

    service docker restart

  6. Restart your container:

    docker start your-container
Warren Young
  • 40,875
  • 8
  • 85
  • 101
Ryan Li
  • 304
  • 2
  • 5
  • 8
    Just a wild guess as I do not know OP's requirement, but I believe they wanted no downtime, so your answer is not really much different than "hey just create a different container with the right privileges", is it? – linuxbandit May 22 '19 at 14:25
  • I tried adding `["SYS_TRACE"]` and that didn't work out on Docker version 19.03.12. – Jinu Aug 18 '20 at 07:36
  • 1
    Confirmed adding ["NET_ADMIN"] works on Docker version 19.03.5. – Tomo Česnik Sep 02 '20 at 13:10
  • 2
    Why so many upvotes ? The question was clear: How to do it to a running container. The answer starts by "stop your container". Well if you gonna stop your container you do not need to edit json files. just docker run --cap-add But given that some contains need half an hour to restart (like a big database) that's not a solution. – John Nov 29 '21 at 22:14
8

No, you cannot modify the capabilities of a running container. These can only be defined when you first create or run (which is just a create+start) the container. You'll need to create a new container with the desired capabilities.

I should point out that you can assign additional network interfaces to a running container with docker network connect, but I'm not aware of any loopback drivers you could use to solve your issue using this technique.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • I installed an application within this container which uses hard coded, (accessible) IP addresses to communicate to external services. I have installed the external services within this same container. The loopback setup is to make sure that the services communicate within the container itself. – VanagaS Aug 04 '16 at 19:04
  • Best practice would be to install each service in a separate container. You can have them running on their own docker network, and attach these networks to your running container. From this and your other questions, it sounds like you're trying to use your container as a VM rather than an application isolation tool, which is very much an anti-pattern for containers. – BMitch Aug 04 '16 at 19:10
  • service is just another war file which can be run within the same j2ee server. I do not want to create another image unnecessarily which will not be used otherwise. – VanagaS Aug 04 '16 at 19:12
0

I hope this response will help someone, in 2022 try this instead: start the container with the option: --cap-add=NET_ADMIN docker run .. -cap-ad=NET_ADMIN ....

Hamid Ftillou
  • 9
  • 1
-5

you can run commands inside a running container using docker exec -it {container_id} /bin/bash. It will create a bash for you that you can run commands with. but generally it's not a good practice to have modifications on image states since it removes the portability of images.

Miad Abrin
  • 952
  • 7
  • 14