mirror of https://github.com/docker/cli.git
Describe privileged mode in terms of capabilities
I didn't see where in the page that `--privileged` mode adds all capabilities. I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document. > Full container capabilities (--privileged) > > The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker. https://stackoverflow.com/a/36441605/111424 Signed-off-by: Iain Samuel McLean Elder <iain@isme.es>
This commit is contained in:
parent
c780f7c4ab
commit
8b408372f9
|
@ -1249,12 +1249,12 @@ by default a container is not allowed to access any devices, but a
|
||||||
"privileged" container is given access to all devices (see
|
"privileged" container is given access to all devices (see
|
||||||
the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)).
|
the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)).
|
||||||
|
|
||||||
When the operator executes `docker run --privileged`, Docker will enable
|
The --privileged flag gives all capabilities to the container. When the operator
|
||||||
access to all devices on the host as well as set some configuration
|
executes `docker run --privileged`, Docker will enable access to all devices on
|
||||||
in AppArmor or SELinux to allow the container nearly all the same access to the
|
the host as well as set some configuration in AppArmor or SELinux to allow the
|
||||||
host as processes running outside containers on the host. Additional
|
container nearly all the same access to the host as processes running outside
|
||||||
information about running with `--privileged` is available on the
|
containers on the host. Additional information about running with `--privileged`
|
||||||
[Docker Blog](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/).
|
is available on the [Docker Blog](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/).
|
||||||
|
|
||||||
If you want to limit access to a specific device or devices you can use
|
If you want to limit access to a specific device or devices you can use
|
||||||
the `--device` flag. It allows you to specify one or more devices that
|
the `--device` flag. It allows you to specify one or more devices that
|
||||||
|
|
Loading…
Reference in New Issue