As already stated in other answers, this behavior is intended. There is some kind of workaround if you can compile (or at least link) the application yourself. Then you can pass -Wl,-rpath <yourDynamicLibraryPath> to gcc or -rpath <yourDynamicLibraryPath> to ld and you won’t have to specify LD_LIBRARY_PATH at all on execution.
Running in privileged mode indeed gives the container all capabilities. But it is good practice to always give a container the minimum requirements it needs. The Docker run command documentation refers to this flag: Full container capabilities (–privileged) The –privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced … Read more
Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do: setcap ‘cap_net_bind_service=+ep’ /path/to/program And then anytime program is executed thereafter it … Read more