In Docker, the--privileged
parameter gives processes within the container almost the same permissions as if they were on the host. This means that the container has access to all devices on the host and can perform operations that would normally require advanced privileges, such as loading kernel modules.
utilization--privileged
parameter, the root user inside the container will have the same capabilities as the root user on the host. This includes, but is not limited to:
- Access to all device nodes of the host (such as the
/dev
(the device file under). - Modify or load kernel modules.
- Mount the file system.
- Access to certain protected files on the host.
This parameter is typically used for containers that require special permissions to run, such as those that need to access host-specific devices or execute specific system calls.
However, the use of--privileged
It also poses a security risk because it allows processes within the container to perform operations that may affect the host system. Therefore, unless absolutely necessary, it is not recommended to use the--privileged
. For example. if you need to limit the use of the number of graphics cards.--gpus '"device=0,1"'
In this case, this parameter does not take effect, and all graphics cards are used by default. This is because--privileged
of higher priority.
In subsequent versions of Docker, it is recommended that finer-grained permission controls be used instead of the--privileged
For example, by--cap-add
parameter to add specific Linux capabilities, or use user namespaces to restrict user privileges within the container.
For example, if you only need the container to be able to access a certain device on the host, you can use the--device
parameter to specify the device, rather than granting full privileges.
utilization--privileged
Example commands for the parameters are as follows:
docker run --privileged -d my_image
This will start a file calledmy_image
of the container and grant it privileges.