diff --git a/container.go b/container.go
index 216d0843d6..e6b1607aeb 100644
--- a/container.go
+++ b/container.go
@@ -118,7 +118,9 @@ type ContainerRequest struct {
 	AlwaysPullImage bool   // Always pull image
 	ImagePlatform   string // ImagePlatform describes the platform which the image runs on.
 	Binds           []string
-	ShmSize         int64 // Amount of memory shared with the host (in bytes)
+	ShmSize         int64    // Amount of memory shared with the host (in bytes)
+	CapAdd          []string // Add Linux capabilities
+	CapDrop         []string // Drop Linux capabilities
 }
 
 type (
diff --git a/docker.go b/docker.go
index 298a709996..4e653e7795 100644
--- a/docker.go
+++ b/docker.go
@@ -950,7 +950,7 @@ func (p *DockerProvider) CreateContainer(ctx context.Context, req ContainerReque
 	}
 
 	exposedPorts := req.ExposedPorts
-	if len(exposedPorts) == 0 {
+	if len(exposedPorts) == 0 && !req.NetworkMode.IsContainer() {
 		image, _, err := p.client.ImageInspectWithRaw(ctx, tag)
 		if err != nil {
 			return nil, err
@@ -990,6 +990,8 @@ func (p *DockerProvider) CreateContainer(ctx context.Context, req ContainerReque
 		NetworkMode:  req.NetworkMode,
 		Resources:    req.Resources,
 		ShmSize:      req.ShmSize,
+		CapAdd:       req.CapAdd,
+		CapDrop:      req.CapDrop,
 	}
 
 	endpointConfigs := map[string]*network.EndpointSettings{}
diff --git a/docker_test.go b/docker_test.go
index 0ccfc05fc9..784d4f30e4 100644
--- a/docker_test.go
+++ b/docker_test.go
@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
 	"github.com/docker/go-units"
 	"github.com/go-redis/redis/v8"
 	"github.com/stretchr/testify/assert"
@@ -1959,6 +1960,39 @@ func TestContainerWithReaperNetwork(t *testing.T) {
 	assert.NotNil(t, cnt.NetworkSettings.Networks[networks[1]])
 }
 
+func TestContainerCapAdd(t *testing.T) {
+	if providerType == ProviderPodman {
+		t.Skip("Rootless Podman does not support setting cap-add/cap-drop")
+	}
+
+	ctx := context.Background()
+
+	expected := "IPC_LOCK"
+
+	nginx, err := GenericContainer(ctx, GenericContainerRequest{
+		ProviderType: providerType,
+		ContainerRequest: ContainerRequest{
+			Image:        nginxAlpineImage,
+			ExposedPorts: []string{nginxDefaultPort},
+			WaitingFor:   wait.ForListeningPort(nginxDefaultPort),
+			CapAdd:       []string{expected},
+		},
+		Started: true,
+	})
+	require.NoError(t, err)
+	terminateContainerOnEnd(t, ctx, nginx)
+
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	require.NoError(t, err)
+	defer dockerClient.Close()
+
+	containerID := nginx.GetContainerID()
+	resp, err := dockerClient.ContainerInspect(ctx, containerID)
+	require.NoError(t, err)
+
+	assert.Equal(t, strslice.StrSlice{expected}, resp.HostConfig.CapAdd)
+}
+
 func TestContainerRunningCheckingStatusCode(t *testing.T) {
 	ctx := context.Background()
 	req := ContainerRequest{
@@ -2068,6 +2102,33 @@ func TestProviderHasConfig(t *testing.T) {
 	assert.NotNil(t, provider.Config(), "expecting DockerProvider to provide the configuration")
 }
 
+func TestNetworkModeWithContainerReference(t *testing.T) {
+	ctx := context.Background()
+	nginxA, err := GenericContainer(ctx, GenericContainerRequest{
+		ProviderType: providerType,
+		ContainerRequest: ContainerRequest{
+			Image: nginxAlpineImage,
+		},
+		Started: true,
+	})
+
+	require.NoError(t, err)
+	terminateContainerOnEnd(t, ctx, nginxA)
+
+	networkMode := fmt.Sprintf("container:%v", nginxA.GetContainerID())
+	nginxB, err := GenericContainer(ctx, GenericContainerRequest{
+		ProviderType: providerType,
+		ContainerRequest: ContainerRequest{
+			Image:       nginxAlpineImage,
+			NetworkMode: container.NetworkMode(networkMode),
+		},
+		Started: true,
+	})
+
+	require.NoError(t, err)
+	terminateContainerOnEnd(t, ctx, nginxB)
+}
+
 // creates a temporary dir in which the files will be extracted. Then it will compare the bytes of each file in the source with the bytes from the copied-from-container file
 func assertExtractedFiles(t *testing.T, ctx context.Context, container Container, hostFilePath string, containerFilePath string) {
 	// create all copied files into a temporary dir
diff --git a/mkdocs.yml b/mkdocs.yml
index dd4ab1c983..71d7db108e 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -36,8 +36,6 @@ nav:
           - features/follow_logs.md
           - features/override_container_command.md
           - features/copy_file.md
-          - features/using_podman.md
-          - features/using_colima.md
           - Wait Strategies:
             - Introduction: features/wait/introduction.md
             - Exec: features/wait/exec.md
@@ -52,6 +50,9 @@ nav:
           - examples/cockroachdb.md
           - examples/nginx.md
           - examples/redis.md
+    - System Requirements:
+          - features/using_colima.md
+          - features/using_podman.md
     - Contributing:
           - contributing.md
           - contributing_docs.md
diff --git a/reaper.go b/reaper.go
index 5c3880e8d0..30bd58d5a8 100644
--- a/reaper.go
+++ b/reaper.go
@@ -22,7 +22,7 @@ const (
 	TestcontainerLabelSessionID = TestcontainerLabel + ".sessionId"
 	TestcontainerLabelIsReaper  = TestcontainerLabel + ".reaper"
 
-	ReaperDefaultImage = "docker.io/testcontainers/ryuk:0.3.3"
+	ReaperDefaultImage = "docker.io/testcontainers/ryuk:0.3.4"
 )
 
 type reaperContextKey string
diff --git a/runtime.txt b/runtime.txt
index 475ba515c0..cc1923a40b 100644
--- a/runtime.txt
+++ b/runtime.txt
@@ -1 +1 @@
-3.7
+3.8