Dropping priviliges inside of the container
One of my images requires mounting of devices. Thus, it needs cap_sys_admin when starting. However, I’d like to drop this capability once it is no longer needed.
Is there some way of dropping the capability at a later stage?
One Solution collect form web for “Dropping priviliges inside of the container”
You should consider using a volume to do the amount instead of requiring the container to do them out from inside.
For example, instead of doing:
docker run --cap-add SYS_ADMIN ...
and then calling mount inside:
mount -t nfs server:/some/path /local/path
Instead, you can create a volume using the ‘local’ driver like so:
docker volume create -d local -o type=nfs -o device=:/some/path -o o=addr=server,rw my_volume
And then use it when you can run the container:
docker run -v my_volume:/local/path ...
When the container starts, the host will handle doing the mount, as the file system will be available to the container. The container needs no capabilities added.