✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.2.1 Default Capability Set

A focused guide to Default Capability Set, connecting core concepts with practical Docker and container operations.

The default capability set is the particular collection of Linux capabilities Docker grants to a container automatically, without any explicit configuration, representing a reasonable but still broader-than-necessary baseline that many containers can safely have further restricted.

What's Included in Docker's Default Capability Set

Docker grants a specific, predefined set of capabilities by default, intended to cover common needs without granting full root privilege.

docker run myapp:1.0
docker inspect $(docker ps -lq) --format '{{.HostConfig.CapAdd}}'

While this default set is considerably more restrictive than full root, it still includes more capabilities than many specific applications actually need.

Why the Default Set Is a Reasonable but Not Minimal Baseline

Docker's default capability set balances broad compatibility against security — granting enough that most ordinary applications function without additional configuration, while still being meaningfully more restrictive than unrestricted root access.

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0

For an application that specifically needs only one or two capabilities, dropping the entire default set and adding back just what's actually needed provides a meaningfully tighter configuration than relying on the broader default.

Identifying Which Default Capabilities a Specific Application Actually Needs

Testing an application against a fully dropped capability set, adding back capabilities one at a time as failures reveal an actual need, helps determine the minimal set genuinely required.

docker run --cap-drop=ALL myapp:1.0

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0

Iterating this way arrives at a precisely scoped capability set, rather than relying on Docker's broader default.

Why Moving Beyond the Default Set Is a Worthwhile Security Practice

For applications with genuinely demanding security requirements, explicitly tightening beyond Docker's default capability set provides a meaningful additional reduction in potential attack surface.

Why the Default Capability Set Matters

Understanding that Docker's default capability set, while more restrictive than full root, still isn't minimal encourages explicitly tightening it for applications where the additional security benefit is worth the configuration effort involved.

Related content