Docker loading kernel modules

Question

I tried to install a kernel module, xfsprogs. It was successfully installed inside a container. It is really surprising, but lsmod doesn't list this module inside container or in the host system. How can a new kernel module loaded in a container?(CentOS container, Ubuntu host)

Answer 1

In Linux host:

• Run the container in privileged mode: --privileged
• Add all capabilities: --cap-add=ALL
• mount host /lib/modules into the container: -v /lib/modules:/lib/modules

docker run --name container_name \
           --privileged \
           --cap-add=ALL -d \
           -v /dev:/dev \
           -v /lib/modules:/lib/modules \
           image_id

Caution: Here all Linux capabilities are added so capabilities can be refined. Few words about Linux capabilities Model

Answer 2

Falco is an example of a container that loads a kernel module as part of its start process.

docker run -i -t --name falco --privileged \
  -v /var/run/docker.sock:/host/var/run/docker.sock \
  -v /dev:/host/dev \
  -v /proc:/host/proc:ro \
  -v /boot:/host/boot:ro \
  -v /lib/modules:/host/lib/modules:ro \
  -v /usr:/host/usr:ro \
  sysdig/falco

Answer 3

Containers interact with the kernel through system calls and don't include any part of the kernel or the kernel modules inside the container. This is one of the reasons why containers designed to be light weight and portable. Also xfsprogs are user space programs and not kernel modules.

How can a new kernel module loaded in a container?(CentOS container, Ubuntu host)

The module needs to be loaded on your host OS, and not from the docker container.