Login/Register
Difference between `--privileged` and `--cap-add=all` in docker
Asked Answered
Solved linuxdockercontainerscgroupslinux-capabilities
C

1

7

Background: I am running a docker container which needs to load/remove a kernel module which makes USB devices attached to a remote server available on the host which I then want to make available in the container.

It works when running the container with —-privileged and bind mounts for /lib/modules and /dev.

Now I want to remove privileged mode and just allow the minimum necessary access. I tried —-cap-add=all as a start, but that doesn’t seem enough. What else does —-privileged allow?

Claybourne answered 15/3, 2021 at 9:17 Comment(1)
this also answers the question what is the difference between "--privileged" and "--security-opt seccomp=unconfined"?: privlileged gives more. seccomp=unconfined only gives access to additional syscalls.Eran
M
8

Setting privileged should modify:

  • capabilities: removing any capability restrictions
  • devices: the host devices will be visible
  • seccomp: removing restrictions on allowed syscalls
  • apparmor/selinux: policies aren't applied
  • cgroups: I don't believe the container is limited within a cgroup

That's from memory, I might be able to find some more digging in the code if this doesn't point you too your issue.

p.s. here is a link to the documentation on what --privileged does: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Mays answered 15/3, 2021 at 11:30 Comment(3)
Fantastic, thank you! Any idea where I could find this documented? I had a look at the source, but all I could find was the lifting of capability restrictions here: github.com/moby/moby/blob/…Claybourne
@Claybourne not sure. If it's not documented somewhere, it really should be. This was just from memory.Mays
@Claybourne there's a variety of settings configured when you create the container: github.com/moby/moby/blob/…Mays

© 2022 - 2024 — McMap. All rights reserved.