Full container capabilities (–privileged)
$ docker run -t -i --rm ubuntu bash
root@bc338942ef20:/# mount -t tmpfs none /mnt
mount: permission denied
This will not work, because by default, most potentially dangerous kernel capabilities are dropped; including cap_sys_admin
(which is required to mount filesystems). However, the --privileged
flag will allow it to run:
$ docker run -t -i --privileged ubuntu bash
root@50e3f57e16e6:/# mount -t tmpfs none /mnt
root@50e3f57e16e6:/# df -h
Filesystem Size Used Avail Use% Mounted on
none 1.9G 0 1.9G 0% /mnt
The --privileged
flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device
cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.
参考:
https://docs.docker.com/engine/reference/commandline/run/#full-container-capabilities---privileged