Reputation: 4555
Can I operate on Linux kernel modules / devices from within a docker container?
There is very scarce information about this.
What would be authoritative sources on whether I can do things like depmod, insmod, rmmod and modprobe from within a docker container?
This assumes the container is running the exact same Linux (kernel wise of course it is, but also when building modules the kernel headers are exactly those of the loaded kernel).
My container needs devices to be accessible and I've played around with docker run --privileged and --device, mknod from the container and few other operations don't complain, I can see in journalctl that stuff is happening but I'd like to make sure this isn't the wrong way to go about it.
Upvotes: 2
Views: 3212
Answers (1)
Reputation: 159242
You can't (*).
Docker has two major design goals here that get in your way:
A container can run largely independently of its host system; you can run an Alpine container with musl libc on a Fedora host with GNU libc. But kernel modules are extremely specific to the exact kernel they've been compiled for. If a routine host-system update added a vendor patch to the kernel, it would break your image.
Containers shouldn't be able to access things outside their own container without being explicitly granted the privilege to. A kernel module can bypass everything -- filesystem permissions, container boundaries, user IDs -- and so a container typically isn't allowed to run
insmodand similar commands, even if the container process is running as root.
If your process needs access to host devices, and loads custom kernel modules, and in general isn't compatible with Docker's isolation system, then it's better to run it directly on the host and not in a container.
(*) ...well, you can, if at startup time you bind-mount kernel headers from the host and build a module for the currently-running kernel, and if the container is running --privileged. (You may only need --cap-add SYS_MODULE.) But this path is a lot more complex, and not any more secure, than just running a host root process.
Upvotes: 5
Related Questions
- Is it feasible to control Docker from inside a container?
- Is it possible to isolate a module kernel in containers powered by docker?
- Sharing kernel of the host operating system while using Docker
- How to use Docker (or Linux Containers) for Network Emulation?
- Is it possible to use a kernel module built from within Docker?
- Bind physical NICs to containers for docker
- Have docker container connect to network devices
- running commands within a Docker user defined network
- Load kernel module from mac os sierra host to a docker container
- Is it possible/sane to develop within a container Docker