1

I'd like to run the Nmap tool in a Docker container but not with the default root user account. I already set the (hopefully) right capabilities via setcap. Unfortunately, I get only the "operation not permitted" error when I try to run it.

This is my docker file:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3

ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'

RUN microdnf install nmap which
RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)

USER 1001

CMD ["nmap", "--privileged", "-sU", "localhost"]

Any idea on how to fix this?

Humberto Castellon
  • 879
  • 1
  • 7
  • 17
Johannes
  • 13
  • 1
  • 4

1 Answers1

2

The issue here is "cap_net_admin".

In order to use/set this capability inside a container, the container must be run with the "NET_ADMIN" capability.

# docker run --cap-add NET_ADMIN <...>

Or simply omitting "cap_net_admin" from your setcap statement should work.

However, to run nmap the way you want, you many only need the "cap_net_raw" capability.

Reducing your dockerfile setcap command to:

RUN setcap cap_net_raw+eip $(which nmap)
Morgan
  • 371
  • 1
  • 3