Now we can run docker containers like docker run --device /dev/fuse $IMAGE.
But Kubernetes couldn't support host deivces yet, refer to https://github.com/kubernetes/kubernetes/issues/5607 .
Is that possible to mount devices like volumes? We have try -v /dev/fuse:/dev/fuse but the container didn't have permissions to open that char device. Can we add more capabilities to do that?
We have tried docker run --cap-add=ALL -v /dev/fuse:/dev/fuse and it didn't work. I think --device or --privileged is needed for this scenario.
Related
After mounting /var/run/docker.sock to a running docker container, I would like to explore the possibilities. Can I issue docker commands from inside the container, like docker stop? Why is it considered a security risk:- what exact commands could I run as a root user in docker that could possibly compromise the host?
It's trivial to escalate access to the docker socket to a root shell on the host.
docker run -it --rm --privileged --pid host debian nsenter -t 1 -m -u -n -i bash
I couldn't give you exact commands to execute since I'm not testing this but I'm assuming you could:
Execute docker commands, including mounting host volumes to newly spawned docker containers, allowing you to write to the host
Overwrite the socket to somehow inject arbitrary code into the host
Escalate privileges to other docker containers running on the same machine
I have a container that's based on the matspfeiffer/flutter image. I'm trying to forward some of my devices present on my host to the container so eventually I can run an android emulator from inside it.
I'm providing the following options to the docker run command:
--device /dev/kvm
--device /dev/dri:/dev/dri
-v /tmp/.X11-unix:/tmp/.X11-unix
-e DISPLAY
This renders the /dev/kvm device accessible from within the container.
However, the permissions for the /dev/kvm device on my host are the following:
crw-rw----+ 1 root kvm 10, 232 oct. 5 19:12 /dev/kvm
So from within the container I'm unable to interact with the device properly because of insufficient permissions.
My best shot at fixing the issue so far has been to alter the permissions of the device on my host machine like so:
sudo chmod 777 /dev/klm
It fixes the issue but it goes without saying that it is not in any case an appropriate solution.
I was wondering if there was a way to grant the container permission to interact with that specific device without altering the permissions on my host.
I am open to giving --privileged access to my host to my container.
I also wish to be able to create files from within the container without the permissions being messed up (I was once root inside a Docker container which made it so every file I would create in a shared volume from within the container inaccessible from my host).
For reference, I'm using VS Code remote containers to build and run the container so the complete docker run command as provided by VS Code is the following
docker run --sig-proxy=false -a STDOUT -a STDERR --mount type=bind,source=/home/diego/Code/Epitech/B5/redditech,target=/workspaces/redditech --mount type=volume,src=vscode,dst=/vscode -l vsch.local.folder=/home/diego/Code/Epitech/B5/redditech -l vsch.quality=stable -l vsch.remote.devPort=0 --device /dev/kvm --device /dev/dri:/dev/dri -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY --fifheri --entrypoint /bin/sh vsc-redditech-850ec704cd6ff6a7a247e31da931a3fb-uid -c echo Container started
I know similar question had already been answered, and I studied dilligently.
I believe, I have tried nearly all possible combinations, without success:
sudo docker run --device /dev/ttyAMA0:/dev/ttyAMA0 --device /dev/mem:/dev/mem --device /dev/gpiomem:/dev/gpiomem --privileged my_image_name /bin/bash
I have also refered to the docker manual and tried also with --cap-add=SYS_ADMIN
sudo docker run --cap-add=SYS_ADMIN --device /dev/ttyAMA0:/dev/ttyAMA0 --device /dev/mem:/dev/mem --device /dev/gpiomem:/dev/gpiomem --privileged my_image_name /bin/bash
I also tried combintions with volumes: -v /sys:/sys
But I still get failed access to devices, due to Permission denied:
I have checked that those devices possibly needed exist and I can read them:
I am wasted. What am I still doing wrong ? Is it that I must run my app inside container as root ? How in the world ? :D
You're running commands in the container as appuser, while the device files are owned by root with various group permissions and no world access (crw-rw--- and crw-r-----). Those groups may look off because /etc/groups inside the container won't match the host, and what passes through to the container is the uid/gid, not the user/group name. The app itself appears to expect you are running as root and even suggests sudo. That sudo is not on the docker command itself (though you may need that if your user on the host is not a member of the docker group) but on the process started inside the container:
docker run --user root --privileged my_image_name /bin/bash
Realize that this is very insecure, so make sure you trust the process inside the container as if it was running as root on the host outside of the container, because it has all the same access.
Using the latest Docker engine, I want to create a container that mounts a volume over the network. But when I try to execute the mount command, I got the error Unable to apply new capability set.. Found out, that Docker restricts permission, like on mounting here. Different sources say, that its necessary to add SYS_ADMIN permission.
I did this, but still not working with the following command:
docker run --cap-add=SYS_ADMIN --cap-add=DAC_READ_SEARCH --privileged --memory=2g -d --name $containerName $imageName
This seems to work
docker run ... \
--cap-add SYS_ADMIN \
--cap-add DAC_READ_SEARCH \
my_container
Currently you will probably need to be sure to unmount your volume before you stop the container. Otherwise the host will now allow restarting any containers due to an untidy work queue or something. I created a script to stop my container by first unmounting, then killing the CMD process. I run this inside the container when I need to kill it.
umount /mnt/efbo_share -t cifs -l
sleep 1
pkill npm
pkill node
You can read about the unmount issues at these links:
https://github.com/moby/moby/issues/22197
https://github.com/moby/moby/issues/5618
I'd like to use Docker-in-Docker however the --privileged gives blanket access to devices. Is there a way to run this using a combination of volumes and cap-add etc. instead?
Unfortunately no, you must use the --privileged flag to run Docker in Docker, you can take a look at the official announcement where they state this is one of the many purposes of the --privileged flag.
Basically, you need more access to the host system devices to run docker than you get when running without --privileged.
Yes, you can run docker in docker without the --privileged flag. It involves mounting the docker socket to the container like so:
docker run -it -v /var/run/docker.sock:/var/run/docker.sock \
-v $(which docker):/bin/docker \
alpine docker ps -a
That is going mount the docker socket and executable into the container and run docker ps -a within the alpine container. Jérôme Petazzoni, who authored the the dind example and did a lot of the work on the --privileged flag had this to say about docker in docker:
https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/
I have been using this approach for a while now and it works pretty good.
The caveat with this approach is things get funky with storage. You're better off using data volume containers or named data volumes rather than mounting directories. Since you're using the docker socket from the host, any directories you want to mount with in a child container need to be from the context of the host, not the parent container. It gets weird. I have had better luck with data volume containers.
Yes. There are dind-rootless versions of docker image in docker hub.
https://hub.docker.com/_/docker