Procedure for moving away from --privileged

Hello!

I’m quite new to Docker (been using it about a month now) and I am doing some stuff with getting containers to interact with devices on a host machine. I’ve so far been using --privileged for development, and it works quite well for the application I am doing. However, I’d like to lock these containers down before deployment. The first step I’ve taken was to switch from --privileged to --device=/dev/:/dev/:rwm. If this worked, I would have reduced the device permissions even further to the specific devices I need. However, after running a container with --device=/dev/:/dev/:rwm, the devices are not working within the container. This is leading me to suspect there is something else that --privileged is doing in order to get my setup to work. So my question is, what other capabilities does --privileged bring that I could try enabling in addition to --device? I’ve tried using --cap-add=ALL but that doesn’t do anything in my case.

I’ve looked in the docker documentation for more clarity but I haven’t really found what I am looking for. The documentation mentions --privileged modifies AppArmor and SELinux parameters, however when running those commands on the host, they don’t work (I’m using a Raspberry Pi which might be why). So I’m assuming --privileged is doing something else. Are there other parameters that --privileged modifies other then AppArmor and SELinux? Or am I implementing the --device argument incorrectly?

Any help/suggestions are greatly appreciated! I can provide more info on request if needed.

1 Like

Hi!

I have the same need: to start container without --priviledged but with possibility to set kernel keys (with sysctl -w). I find no way to allow this with any set of kernel capabilities and seems to it’s not possible at all.