Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add info on --device flag permissions ':rwm' 

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>

Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> (github: SvenDowideit)
This commit is contained in:
Sven Dowideit 2014-10-08 13:10:31 +10:00 committed by Tibor Vass
parent d227c88e19
commit 981a612adf
2 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/sources/reference/commandline/cli.md
View File

@ -523,7 +523,7 @@ Creates a new container.
--cap-drop=[] Drop Linux capabilities --cap-drop=[] Drop Linux capabilities
--cidfile="" Write the container ID to the file --cidfile="" Write the container ID to the file
--cpuset="" CPUs in which to allow execution (0-3, 0,1) --cpuset="" CPUs in which to allow execution (0-3, 0,1)
--device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc) --device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
--dns=[] Set custom DNS servers --dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains --dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables -e, --env=[] Set environment variables
@ -563,6 +563,8 @@ container at any point.
This is useful when you want to set up a container configuration ahead This is useful when you want to set up a container configuration ahead
of time so that it is ready to start when you need it. of time so that it is ready to start when you need it.
Please see the [run command](#run) section for more details.
#### Example #### Example
$ sudo docker create -t -i fedora bash $ sudo docker create -t -i fedora bash
@ -1221,7 +1223,7 @@ removed before the image is removed.
--cidfile="" Write the container ID to the file --cidfile="" Write the container ID to the file
--cpuset="" CPUs in which to allow execution (0-3, 0,1) --cpuset="" CPUs in which to allow execution (0-3, 0,1)
-d, --detach=false Detached mode: run the container in the background and print the new container ID -d, --detach=false Detached mode: run the container in the background and print the new container ID
--device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc) --device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
--dns=[] Set custom DNS servers --dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains --dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables -e, --env=[] Set environment variables
@ -1430,8 +1432,31 @@ option enables that. For example, a specific block storage device or loop
device or audio device can be added to an otherwise unprivileged container device or audio device can be added to an otherwise unprivileged container
(without the `--privileged` flag) and have the application directly access it. (without the `--privileged` flag) and have the application directly access it.
By default, the container will be able to `read`, `write` and `mknod` these devices.
This can be overridden using a third `:rwm` set of options to each `--device`
flag:
```
$ sudo docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc
Command (m for help): q
$ sudo docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk /dev/xvdc
You will not be able to write the partition table.
Command (m for help): q
$ sudo docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc
Command (m for help): q
$ sudo docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk /dev/xvdc
fdisk: unable to open /dev/xvdc: Operation not permitted
```
**Note:** **Note:**
> `--device` cannot be safely used with ephemeral devices. Block devices that may be removed should not be added to untrusted containers with `--device`. > `--device` cannot be safely used with ephemeral devices. Block devices that
> may be removed should not be added to untrusted containers with `--device`.
**A complete example:** **A complete example:**

20
docs/sources/reference/run.md
View File

@ -308,6 +308,26 @@ will be accessible within the container.
$ sudo docker run --device=/dev/snd:/dev/snd ... $ sudo docker run --device=/dev/snd:/dev/snd ...
By default, the container will be able to `read`, `write`, and `mknod` these devices.
This can be overridden using a third `:rwm` set of options to each `--device` flag:
```
$ sudo docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc
Command (m for help): q
$ sudo docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk /dev/xvdc
You will not be able to write the partition table.
Command (m for help): q
$ sudo docker run --device=/dev/sda:/dev/xvdc:w --rm -it ubuntu fdisk /dev/xvdc
crash....
$ sudo docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk /dev/xvdc
fdisk: unable to open /dev/xvdc: Operation not permitted
```
In addition to `--privileged`, the operator can have fine grain control over the In addition to `--privileged`, the operator can have fine grain control over the
capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default
list of capabilities that are kept. Both flags support the value `all`, so if the list of capabilities that are kept. Both flags support the value `all`, so if the