Can't run dmidecode on docker container

Question

I am trying to run command dmidecode in my docker container,

docker run --device /dev/mem:/dev/mem -it jin/ubu1604

However, it claims that there is no permission

root@bd1062dfd8ab:/# dmidecode
# dmidecode 3.0
Scanning /dev/mem for entry point.
/dev/mem: Operation not permitted
root@bd1062dfd8ab:/# ls -l /dev
total 0
crw--w---- 1 root tty  136, 0 Jan  7 03:21 console
lrwxrwxrwx 1 root root     11 Jan  7 03:20 core -> /proc/kcore
lrwxrwxrwx 1 root root     13 Jan  7 03:20 fd -> /proc/self/fd
crw-rw-rw- 1 root root   1, 7 Jan  7 03:20 full
crw-r----- 1 root kmem   1, 1 Jan  7 03:20 mem
drwxrwxrwt 2 root root     40 Jan  7 03:20 mqueue
crw-rw-rw- 1 root root   1, 3 Jan  7 03:20 null
lrwxrwxrwx 1 root root      8 Jan  7 03:20 ptmx -> pts/ptmx
drwxr-xr-x 2 root root      0 Jan  7 03:20 pts
crw-rw-rw- 1 root root   1, 8 Jan  7 03:20 random
drwxrwxrwt 2 root root     40 Jan  7 03:20 shm
lrwxrwxrwx 1 root root     15 Jan  7 03:20 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root     15 Jan  7 03:20 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root     15 Jan  7 03:20 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root   5, 0 Jan  7 03:20 tty
crw-rw-rw- 1 root root   1, 9 Jan  7 03:20 urandom
crw-rw-rw- 1 root root   1, 5 Jan  7 03:20 zero

This confused me. Since I was able to run dmidecode -t system on the host (ubuntu 14.04) fine.

I even followed some advice and set the permission on dmidecode executable

setcap cap_sys_rawio+ep /usr/sbin/dmidecode

It still doesn't work.

Any ideas?

UPDATE

Based on David Maze's answer, the command should be

run --device /dev/mem:/dev/mem --cap-add SYS_RAWIO -it my/ubu1604a

Do this only when you are going to trust what runs in container. For example, if you are test installation procedure on a pristine OS.

Answer 1

Docker provides an isolation layer, and one of the major goals of Docker is to hide details of the host's hardware from containers. The easiest, most appropriate way to query low-level details of the host's hardware is from a root shell on the host, ignoring Docker entirely.

The actual mechanism of this is by restricting Linux capabilities . capabilities (7) documents that you need CAP_SYS_RAWIO to access /dev/mem , so in principle you can launch your container with --cap-add SYS_RAWIO . You might need other capabilities and/or device access to make this actually work, because Docker is hiding the details of what you're trying to access as a design goal.

Answer 2

• I tried using this

docker run --device /dev/mem:/dev/mem --cap-add SYS_RAWIO -p 8086:8086 -it my_img:1.0.1

But this is not working for me.

Dmidecode still not giving output when my go program is running inside docker.*