0

I would like to start a container with privileges. Manually I can do that directly by typing:

sudo docker run -privileged name/image

But how can I generated a container from a Dockerfile with privileges, is there any command to do that in the dockerfile?

In my case I am doing a deployment in amazon, in case it can not be done from a Dockerfile can it be done from the Dockerrun.aws.json?

PS. To give some context to the question, I need privileges in the docker container to be able to change the ulimit because of apache.

Edit:

I don't change it locally in the container because in Docker the ulimit of the container is the one of the host. That is why the change doesn't affect the container if I change it locally.

chuseuiti
  • 783
  • 1
  • 9
  • 32
  • Not a solution but some general advice that may lead you to look in another direction - just about every experienced person recommends **not** running anything at a raised privilege level for a moment longer than possible due to security issues, risks of a simple error or oversight doing damage, etc. – Steve Barnes May 09 '15 at 06:06
  • I agree, but not sure if the solution is trying to ignore the error when Amazon is creating the container in the instance(I don't know how to do it), or try to fix the error from the Dockerfile – chuseuiti May 09 '15 at 17:33

1 Answers1

0

Running the container with elevated privileges probably raises all sorts of security and reliability issues.

I would suggest that rather than starting the whole Docker session with elevated privileges, which will potentially mean that everything run on it will have elevated privileges, instead you create a docker container with an changed number set for ulimit.

I am not an expert but the instructions for creating your own container look clear enough then sudo vi /etc/security/limits.conf within your new container, changing soft nofile and soft nproc, save and then export the new container seems the way to go. You can then run the new container with normal privilege levels.

The other option that seems to be used in many places is to run multiple container instances so as to avoid congestion issues.

Steve Barnes
  • 27,618
  • 6
  • 63
  • 73
  • The problem is that: The ulimit of the docker container is the ulimit of the host. That is why if I change the ulimit inside the container, it really doesn't take in to consideration and I keep having the error of ulimit. Normally this error is just like a warning but Amazon is not creating the container automatically because of it. As you can see in this other question: http://stackoverflow.com/questions/30077465/error-docker-deployment-in-amazon-ec2-docker-container-quit-unexpectedly – chuseuiti May 09 '15 at 17:27
  • If it is an Amazon created container running on Amazons host then you will have to apply to Amazon to get the **host** limit raised. Even if the container has elevated privileges it shouldn't be able to change the host settings, Amazon would be ***very*** upset if it could! – Steve Barnes May 09 '15 at 17:59