Location>code7788 >text

What the docker parameter '--privileged' does

Popularity:842 ℃/2024-09-12 11:14:02

In Docker, the--privileged parameter gives processes within the container almost the same permissions as if they were on the host. This means that the container has access to all devices on the host and can perform operations that would normally require advanced privileges, such as loading kernel modules.

utilization--privilegedparameter, the root user inside the container will have the same capabilities as the root user on the host. This includes, but is not limited to:

  1. Access to all device nodes of the host (such as the/dev(the device file under).
  2. Modify or load kernel modules.
  3. Mount the file system.
  4. Access to certain protected files on the host.

This parameter is typically used for containers that require special permissions to run, such as those that need to access host-specific devices or execute specific system calls.

However, the use of--privilegedIt also poses a security risk because it allows processes within the container to perform operations that may affect the host system. Therefore, unless absolutely necessary, it is not recommended to use the--privileged. For example. if you need to limit the use of the number of graphics cards.--gpus '"device=0,1"' In this case, this parameter does not take effect, and all graphics cards are used by default. This is because--privilegedof higher priority.

In subsequent versions of Docker, it is recommended that finer-grained permission controls be used instead of the--privilegedFor example, by--cap-addparameter to add specific Linux capabilities, or use user namespaces to restrict user privileges within the container.

For example, if you only need the container to be able to access a certain device on the host, you can use the--deviceparameter to specify the device, rather than granting full privileges.

utilization--privilegedExample commands for the parameters are as follows:

docker run --privileged -d my_image

This will start a file calledmy_imageof the container and grant it privileges.