Run nmap in a Docker container as a non-admin user

security docker linux nmap

I'd like to run the Nmap tool in a Docker container but not with the default root user account. I already set the (hopefully) right capabilities via setcap. Unfortunately, I get only the "operation not permitted" error when I try to run it.

This is my docker file:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3

ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'

RUN microdnf install nmap which
RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)

USER 1001

CMD ["nmap", "--privileged", "-sU", "localhost"]

Any idea on how to fix this?


Solution 1:

The issue here is "cap_net_admin".

In order to use/set this capability inside a container, the container must be run with the "NET_ADMIN" capability.

# docker run --cap-add NET_ADMIN <...>

Or simply omitting "cap_net_admin" from your setcap statement should work.

However, to run nmap the way you want, you many only need the "cap_net_raw" capability.

Reducing your dockerfile setcap command to:

RUN setcap cap_net_raw+eip $(which nmap)

Related

What's the difference between "firewall-cmd --reload" and "systemctl restart firewalld.service"?
Get current SDDL from AD Administrator
Monitoring internal Kubernetes certificates
How can I see if a Perl hash already has a certain key?
Difference between block and &block in Ruby
Disable TLS cipher suites
Can we have multiple IP addresses with different Net IDs on an interface? [closed]
ZFS: Does anyone know how to roll a zvol back in time?
Opening an email client on clicking a button
Why doesn't nginx wait until my connection during graceful shutdown?
Date and Time incorrect on compute engine
Cloud definition met? [closed]