Reputation: 873
Difference between `--privileged` and `--cap-add=all` in docker
Background: I am running a docker container which needs to load/remove a kernel module which makes USB devices attached to a remote server available on the host which I then want to make available in the container.
It works when running the container with —-privileged and bind mounts for /lib/modules and /dev.
Now I want to remove privileged mode and just allow the minimum necessary access. I tried —-cap-add=all as a start, but that doesn’t seem enough. What else does —-privileged allow?
Upvotes: 8
Views: 9512
Answers (1)
Reputation: 264721
Setting privileged should modify:
- capabilities: removing any capability restrictions
- devices: the host devices will be visible
- seccomp: removing restrictions on allowed syscalls
- apparmor/selinux: policies aren't applied
- cgroups: I don't believe the container is limited within a cgroup
That's from memory, I might be able to find some more digging in the code if this doesn't point you too your issue.
p.s. here is a link to the documentation on what --privileged does: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
Upvotes: 9
Related Questions
- difference between cgroups and namespaces
- Newer versions of docker have --cap-add, what CAP's can be added?
- Difference between privileged and capabilities
- Privileged containers and capabilities
- How can we add capabilities to a running docker container?
- Docker(containers) cgroup/namespace setup vs running Dockerfile commands as root?
- Difference between docker privileged mode and kubernetes privilege container
- Difference between --cap-add=NET_ADMIN and add capabilities in .yml
- Is a newly created Docker container associated with a new cgroup?
- Difference between docker run --user and --group-add parameters