Ubuntu 22 Docker container can't set promiscuous mode in a Dockerfile, but can on command line

Hope this is the right place to ask vs SO, ServerFault, etc. I've searched a lot and can't find anything remotely like this question, ready to be proven a bad searcher. When I build a Ubuntu 22-based Docker container and run bash on it, I can run the command in the container: ip link set dev eth0 promisc on But when I put that into a Dockerfile, I get an error when the command runs during build. **Question is, why is there a difference? And how can I make it work in a Dockerfile?** Build command is: docker build -t firewall . I've tried it with --allow=network.host just for fun, no difference. When I run the built container, I do use --privileged, if that matters. Here's what the error looks like: (image too https://imgur.com/a/SrWcoFZ) => ERROR [23/23] RUN ip link set dev eth0 promisc on ------ > [23/23] RUN ip link set dev eth0 promisc on: 0.200 RTNETLINK answers: Operation not permitted ------ Dockerfile:35 -------------------- 33 | RUN cd snort3-3.1.43.0/build && make install 34 | RUN ldconfig 35 | >>> RUN ip link set dev eth0 promisc on -------------------- ERROR: failed to solve: process "/bin/sh -c ip link set dev eth0 promisc on" did not complete successfully: exit code: 2 Background: I'm trying to run Snort in a Docker container, it's part of building a project for a MS-level security course. One step of installing Snort is setting the network interface to promiscuous, if I understand correctly this lets Snort see all network traffic, regardless of destination. I see this in standard Snort installs, I don't really understand why I care about more than the traffic directly addressed to the container. Maybe this isn't even needed? And in case it matters this is all happening inside a VM based on Ubuntu 24.04, long story short. And I'm building the project in a git repo, at the top level dir, I snipped out the warning about that. **So the bottom line thing I'm not understanding, why is this behaving differently when running it as part of a Docker build vs running it manually in the container once the container is up?** Thanks **UPDATE**: Based on comments I setup an ENTRYPOINT script, but I still have the same problem: RTNETLINK answers: Operation not permitted occurs when I run this container, here's the Dockerfile and startup script: https://github.com/jimlohse/firewallProjectPublic **UPDATE 2** I was being dumb and forgetting to use --privileged when I added the ENTRYPOINT script. Once I started using that flag, it works. Thanks! Accepted the answer, thanks for addressing my conceptual understanding.