Dropping priviliges inside of the container

One of my images requires mounting of devices. Thus, it needs cap_sys_admin when starting. However, I’d like to drop this capability once it is no longer needed.

Is there some way of dropping the capability at a later stage?

  • How to import path to php interpreter from docker container to $PATH Linux?
  • Error “Could not find rake-10.5.0 in any of the sources” on Phusion Passenger Docker image
  • cant connect to docker daemon - eclipse che
  • Building in docker and deploying in ubuntu [closed]
  • Creating a testing infrastructure with Pytest , Selenium Grid and Docker
  • Connect to RPC Server in Docker
  • vagrant uses default and not that specified by provider
  • Docker read-only socket volume
  • Getting User name + password to docker container
  • centos 6.5:Cannot connect to the Docker daemon, the storage issue
  • Configure fluentd to properly parse and ship java stacktrace,which is formatted using docker json-file logging driver,to elastic as single message
  • Facing FileNotFoundException while accessing JSON File in classpath using java in docker containers(SprintBootApplication)
  • One Solution collect form web for “Dropping priviliges inside of the container”

    You should consider using a volume to do the amount instead of requiring the container to do them out from inside.

    For example, instead of doing:

    docker run --cap-add SYS_ADMIN ...

    and then calling mount inside:

    mount -t nfs server:/some/path /local/path

    Instead, you can create a volume using the ‘local’ driver like so:

    docker volume create -d local -o type=nfs -o device=:/some/path -o o=addr=server,rw my_volume

    And then use it when you can run the container:

    docker run -v my_volume:/local/path ...

    When the container starts, the host will handle doing the mount, as the file system will be available to the container. The container needs no capabilities added.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.