How to run as root inside busybox container?

Question

I have a Busybox container running in Docker on a Ubuntu VM. I wanted to increase the shmem of that container, so ran the command mount -o remount,size=128m /dev/shm inside the container. The command failed to run due to permission errors. The user shows up as root , yet the command is not going through.

~$ docker run -it busybox sh
/ # df -h /dev/shm
Filesystem                Size      Used Available Use% Mounted on
shm                      64.0M         0     64.0M   0% /dev/shm
/ # mount -o remount,size=128m /dev/shm
mount: permission denied (are you root?)
/ # whoami
root

I then ran the container itself as root, but that also didn't make any difference.

$ docker run -u root -it busybox sh
/ # whoami
root
/ # df -h /dev/shm
Filesystem                Size      Used Available Use% Mounted on
shm                      64.0M         0     64.0M   0% /dev/shm
/ # mount -o remount,size=256m /dev/shm
mount: permission denied (are you root?)
/ # su -c "mount -o remount,size=256m /dev/shm"
mount: permission denied (are you root?)
/ #

I then ran the container with --privileged option. Only then I was able to run the remount the shmem inside the container.

$ docker run -u root --privileged -it busybox sh
/ # df -h /dev/shm
Filesystem                Size      Used Available Use% Mounted on
shm                      64.0M         0     64.0M   0% /dev/shm
/ # mount -o remount,size=128m /dev/shm
/ # df -h /dev/shm
Filesystem                Size      Used Available Use% Mounted on
shm                     128.0M         0    128.0M   0% /dev/shm
/ # whoami
root

Few things that I am finding tough to understand here:

1. Why mount failed initially despite the user is root? Is it because the container didn't have privileged access?
2. How do we know which operations require privileged access and which ones do not?
3. Is there a way to do the remounting of shmem inside the container without running in privileged mode?

Answer 1

There is a docker run --shm-size option. Specify this when you start the container.

In general containers run with a restricted set of system-level capabilities, even if they're running as root. These are also listed out in the docker run documentation . That doesn't specifically mention mounting, but the extended capabilities (7) man page mentions that CAP_SYS_ADMIN controls access to mount (2) (among a wide range of other things).

In short: containers can't mount (8) or umount (8) filesystems without being given special privileges, and you should try to avoid wanting to do this. This includes some relatively benign things you could imagine like your example of changing the size of /dev/shm or loopback-mounting an ISO image.

If you really need to do this, docker run --cap-add SYS_ADMIN is the minimum permission you need to do it, but that does open up a fairly wide set of possible operations on the host. ( --privileged implies --cap-add ALL so it will also work here, but it gives you even more control over the host system.)