From 8b408372f962d70e73336eb94fa07651e6090e91 Mon Sep 17 00:00:00 2001 From: Iain Samuel McLean Elder Date: Sun, 6 Feb 2022 15:56:05 +0100 Subject: [PATCH] Describe privileged mode in terms of capabilities I didn't see where in the page that `--privileged` mode adds all capabilities. I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document. > Full container capabilities (--privileged) > > The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker. https://stackoverflow.com/a/36441605/111424 Signed-off-by: Iain Samuel McLean Elder --- docs/reference/run.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/reference/run.md b/docs/reference/run.md index 197af741ab..db0a854ff0 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1249,12 +1249,12 @@ by default a container is not allowed to access any devices, but a "privileged" container is given access to all devices (see the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)). -When the operator executes `docker run --privileged`, Docker will enable -access to all devices on the host as well as set some configuration -in AppArmor or SELinux to allow the container nearly all the same access to the -host as processes running outside containers on the host. Additional -information about running with `--privileged` is available on the -[Docker Blog](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/). +The --privileged flag gives all capabilities to the container. When the operator +executes `docker run --privileged`, Docker will enable access to all devices on +the host as well as set some configuration in AppArmor or SELinux to allow the +container nearly all the same access to the host as processes running outside +containers on the host. Additional information about running with `--privileged` +is available on the [Docker Blog](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/). If you want to limit access to a specific device or devices you can use the `--device` flag. It allows you to specify one or more devices that