..
Statement:
This blog welcome forwarding, but please keep the original author information!
Blog Address: Http://blog.csdn.net/halcyonbaby
Sina Weibo: Searching for Miracles
The content of my study, research and summary, if there is similar, it is honored!
==================
Super Privilege Container
Many times containers require greater permissions, such as the following scenarios:
1. Libvirt of containers
2. Mount the kernel module within the container
3. Process in the container to manage and monitor the host
4. Execute commands to host within the container (for hanging volume, user creation, software start-stop)
Main practices:
Use –privileged to turn off most of the security settings, or you can fine-tune the cap_add/cap_remove.
–net=host, let the container use the same net as the host.
–ipc=net, let the container and host use the same IPC.
-v/run:/run to communicate with the Dbus service within the container.
-V/:/host, enter the other namespace to operate.
-v/sys/fs/cgroup:/sys/fs/cgroup, use SELinux or Cgroup.
Example (containerized libvirt):
sudo docker run --rm --privileged --net=host -ti -e ‘container=docker‘ -v /proc/modules:/proc/modules -v /var/lib/libvirt/:/var/lib/libvirt/ -v /sys/fs/cgroup:/sys/fs/cgroup:rw libvirtd
Example (add kernel module):
sudo docker run --rm --privileged foobar /sbin/modprobe PATHTO/foobar-kmod
Example (add user):
sudo docker run -ti --privileged -d --net=host -e sysimage=/host -v /:/host -v /dev:/dev -v /run:/run /bin/shsudo nsenter --mount=$sysimage/proc/1/ns/mnt -- /sbin/adduser testuser
Reference:
http://developerblog.redhat.com/2014/11/06/introducing-a-super-privileged-container-concept/
http://www.projectatomic.io/blog/2014/10/libvirtd_in_containers/
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Super Privilege Container