Description
When running Docker in Rootless mode, giving extended privileges (--privileged) to a container doesn't add all the (user-accessible) host's device nodes to the container's spec.
https://docs.docker.com/engine/reference/run
When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
This is how containerd/nerdctl handle it:
https://github.com/containerd/containerd/blob/master/oci/spec_opts_unix.go#L27-L37
Steps to reproduce the issue:
- Run the Docker daemon as a non-root user (Rootless mode)
- Start a
--privileged container
- List the available devices
Describe the results you received:
$ ls /dev/usb
hiddev0
$ docker run -it --rm --privileged alpine ls /dev/usb
ls: /dev/usb: No such file or directory
Describe the results you expected:
$ ls /dev/usb
hiddev0
$ docker run -it --rm --privileged alpine ls /dev/usb
hiddev0
Output of docker version:
Client:
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:42:10 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8728dd2
Built: Fri Apr 9 22:44:13 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker info:
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.7.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 4.15.0-142-generic
Operating System: Ubuntu 18.04.5 LTS
OSType: linux
Architecture: x86_64
Name: $HOSTNAME
Docker Root Dir: $HOME/.local/share/docker
Debug Mode: false
Username: $USER
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
Description
When running Docker in Rootless mode, giving extended privileges (
--privileged) to a container doesn't add all the (user-accessible) host's device nodes to the container's spec.https://docs.docker.com/engine/reference/run
This is how
containerd/nerdctlhandle it:https://github.com/containerd/containerd/blob/master/oci/spec_opts_unix.go#L27-L37
Steps to reproduce the issue:
--privilegedcontainerDescribe the results you received:
Describe the results you expected:
Output of
docker version:Output of
docker info: