Support adding capabilities to docker services using cap_add

Description

I am trying to set up docker-in-docker using user namespace isolation instead of privileged mode. For this to work the docker-in-docker service must be started with the capabilities SYS_ADMIN, NET_ADMIN and SYS_PTRACE. Unfortunately the cap_add (and cap_drop) options only apply to the main docker container, and not to service containers that are created.

Proposal

cap_add and cap_drop should be used when creating services as well.

Links to related issues and merge requests / references

• cap_add was added in merge request !91 (merged)
• Source code that configures capabilities for the normal containers: executor_docker.go line 692-711
• Source code that configures service containers: executor_docker.go line 539-548