docker: run a container without bounded capabilities.

Before:
$ docker-compose run --rm web grep ^Cap /proc/1/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

$ docker-compose run --rm web capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(mystamps)
gid=1000(mystamps)
groups=

After:
$ docker-compose run --rm web capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(mystamps)
gid=1000(mystamps)
groups=

$ docker-compose run --rm web grep ^Cap /proc/1/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000000000000000
CapAmb: 0000000000000000

Details:
- http://www.projectatomic.io/blog/2016/01/how-to-run-a-more-secure-non-root-user-container/
- https://docs.docker.com/compose/compose-file/#cap_add-cap_drop

Addressed to #535

[ci skip]

Author: php-coder

docker/docker-compose.yml

@@ -3,4 +3,5 @@ version: '3'
 services:
   web:
     build: ./
+    cap_drop: [ "ALL" ]
     ports: [ "8080:8080" ]