I have a Busybox container running in Docker on a Ubuntu VM. I wanted to increase the shmem of that container, so ran the command mount -o remount,size=128m /dev/shm
inside the container. The command failed to run due to permission errors. The user shows up as root
, yet the command is not going through.
~$ docker run -it busybox sh
/ # df -h /dev/shm
Filesystem Size Used Available Use% Mounted on
shm 64.0M 0 64.0M 0% /dev/shm
/ # mount -o remount,size=128m /dev/shm
mount: permission denied (are you root?)
/ # whoami
root
I then ran the container itself as root, but that also didn't make any difference.
$ docker run -u root -it busybox sh
/ # whoami
root
/ # df -h /dev/shm
Filesystem Size Used Available Use% Mounted on
shm 64.0M 0 64.0M 0% /dev/shm
/ # mount -o remount,size=256m /dev/shm
mount: permission denied (are you root?)
/ # su -c "mount -o remount,size=256m /dev/shm"
mount: permission denied (are you root?)
/ #
I then ran the container with --privileged
option. Only then I was able to run the remount the shmem inside the container.
$ docker run -u root --privileged -it busybox sh
/ # df -h /dev/shm
Filesystem Size Used Available Use% Mounted on
shm 64.0M 0 64.0M 0% /dev/shm
/ # mount -o remount,size=128m /dev/shm
/ # df -h /dev/shm
Filesystem Size Used Available Use% Mounted on
shm 128.0M 0 128.0M 0% /dev/shm
/ # whoami
root
Few things that I am finding tough to understand here:
mount
failed initially despite the user is root? Is it because the container didn't have privileged access? There is a docker run --shm-size
option. Specify this when you start the container.
In general containers run with a restricted set of system-level capabilities, even if they're running as root. These are also listed out in the docker run
documentation . That doesn't specifically mention mounting, but the extended capabilities (7) man page mentions that CAP_SYS_ADMIN
controls access to mount (2) (among a wide range of other things).
In short: containers can't mount (8) or umount (8) filesystems without being given special privileges, and you should try to avoid wanting to do this. This includes some relatively benign things you could imagine like your example of changing the size of /dev/shm
or loopback-mounting an ISO image.
If you really need to do this, docker run --cap-add SYS_ADMIN
is the minimum permission you need to do it, but that does open up a fairly wide set of possible operations on the host. ( --privileged
implies --cap-add ALL
so it will also work here, but it gives you even more control over the host system.)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.