Super Privilege Container

..
Statement:
This blog welcome forwarding, but please keep the original author information!
Blog Address: Http://blog.csdn.net/halcyonbaby
Sina Weibo: Searching for Miracles

The content of my study, research and summary, if there is similar, it is honored!

==================

Super Privilege Container

Many times containers require greater permissions, such as the following scenarios:
1. Libvirt of containers
2. Mount the kernel module within the container
3. Process in the container to manage and monitor the host
4. Execute commands to host within the container (for hanging volume, user creation, software start-stop)

Main practices:
Use –privileged to turn off most of the security settings, or you can fine-tune the cap_add/cap_remove.
–net=host, let the container use the same net as the host.
–ipc=net, let the container and host use the same IPC.
-v/run:/run to communicate with the Dbus service within the container.
-V/:/host, enter the other namespace to operate.
-v/sys/fs/cgroup:/sys/fs/cgroup, use SELinux or Cgroup.

Example (containerized libvirt):

sudo docker run --rm --privileged --net=host -ti -e ‘container=docker‘ -v /proc/modules:/proc/modules -v /var/lib/libvirt/:/var/lib/libvirt/ -v /sys/fs/cgroup:/sys/fs/cgroup:rw libvirtd

Example (add kernel module):

sudo docker run --rm  --privileged foobar /sbin/modprobe PATHTO/foobar-kmod

Example (add user):

sudo docker run -ti --privileged -d --net=host -e sysimage=/host -v /:/host -v /dev:/dev -v /run:/run /bin/shsudo nsenter --mount=$sysimage/proc/1/ns/mnt -- /sbin/adduser testuser

Reference:
http://developerblog.redhat.com/2014/11/06/introducing-a-super-privileged-container-concept/
http://www.projectatomic.io/blog/2014/10/libvirtd_in_containers/

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Super Privilege Container