I’m quite new to Docker (been using it about a month now) and I am doing some stuff with getting containers to interact with devices on a host machine. I’ve so far been using
--privileged for development, and it works quite well for the application I am doing. However, I’d like to lock these containers down before deployment. The first step I’ve taken was to switch from
--device=/dev/:/dev/:rwm. If this worked, I would have reduced the device permissions even further to the specific devices I need. However, after running a container with
--device=/dev/:/dev/:rwm, the devices are not working within the container. This is leading me to suspect there is something else that
--privileged is doing in order to get my setup to work. So my question is, what other capabilities does
--privileged bring that I could try enabling in addition to
--device? I’ve tried using
--cap-add=ALL but that doesn’t do anything in my case.
I’ve looked in the docker documentation for more clarity but I haven’t really found what I am looking for. The documentation mentions
--privileged modifies AppArmor and SELinux parameters, however when running those commands on the host, they don’t work (I’m using a Raspberry Pi which might be why). So I’m assuming
--privileged is doing something else. Are there other parameters that
--privileged modifies other then AppArmor and SELinux? Or am I implementing the
--device argument incorrectly?
Any help/suggestions are greatly appreciated! I can provide more info on request if needed.