diff --git a/src/docker.js b/src/docker.js
index 23de06a46..6e13b130c 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -354,7 +354,7 @@ async function createSubcontainer(app, name, cmd, options) {
             CpuShares: app.cpuShares,
             VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
             SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
-            CapAdd: [],
+            CapAdd: ['ALL'],
             CapDrop: [],
             Sysctls: {}
         }
@@ -389,20 +389,20 @@ async function createSubcontainer(app, name, cmd, options) {
     const capabilities = manifest.capabilities || [];
 
     // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
-    if (capabilities.includes('net_admin')) {
-        containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
-        // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
-        // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
-        containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
-    }
-    if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
-    if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
+    // if (capabilities.includes('net_admin')) {
+    //     containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
+    //     // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
+    //     // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
+    //     containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
+    // }
+    // if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
+    // if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
 
-    if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
-        containerOptions.HostConfig.Devices = [
-            { PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
-        ];
-    }
+    // if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
+    //     containerOptions.HostConfig.Devices = [
+    //         { PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
+    //     ];
+    // }
 
     containerOptions = _.extend(containerOptions, options);