0

One of my images requires mounting of devices. Thus, it needs cap_sys_admin when starting. However, I'd like to drop this capability once it is no longer needed.

Is there some way of dropping the capability at a later stage?

Cyclonit
  • 185
  • 6
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Jun 21 '17 at 20:26
  • 1
    On the docker websites stackoverflow is advertised as one possible place to ask and given that docker containers are scripted, I don't quite understand why it wouldn't fit. – Cyclonit Jun 21 '17 at 20:32
  • It sounds like the site is providing semi-incorrect information. The container is just a lightweight VM, like a Debian QEMU/Chroot. You should ask questions on a site better suited for them, like [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/). If you have programming and development questions, like how to build Docker from sources or how to fix a source code bug, then yes, please ask here. – jww Jun 21 '17 at 20:41
  • @jww I've never answered such questions in SO. Therefore, **with a lot of respect**, should I return my bronze docker badge? – Robert Jun 21 '17 at 22:17
  • @Robert - I'm not sure what one has to do with the other. There is [Should one downvote answers to off-topic questions?](https://meta.stackexchange.com/q/194963/173448) But I tend to avoid it since I'm more interested in user education with respect to person asking the question, not the person answering the question. The problem seems to be Docker telling folks to go to Stack Overflow for their non-programming and non-development related questions. Its not the first time the site has experienced the problem. – jww Jun 21 '17 at 22:47
  • @Cyclonit - The Docker site [main page](https://www.docker.com/), [documentation](https://docs.docker.com/) and [community](https://www.docker.com/docker-community) lack a reference to Stack Overflow. I also could not find a support page from the main site. Could you provide a reference so I can read what they state? Related, I'm trying to determine if these apply: [Why we're not customer support for \[your favorite company\]](https://meta.stackoverflow.com/q/255745/608639) and [Third-party development support: hosted by Stack Overflow](https://meta.stackoverflow.com/q/253394/608639). – jww Jun 21 '17 at 23:31
  • Hi, I'm referring to this site: https://docs.docker.com/opensource/get-help/ It links directly to the main site of stackoverflow.com. Please tell me once you've read this and I'll delete this question. – Cyclonit Jun 22 '17 at 18:53

1 Answers1

0

You should consider using a volume to do the amount instead of requiring the container to do them out from inside.

For example, instead of doing:

docker run --cap-add SYS_ADMIN ...

and then calling mount inside:

mount -t nfs server:/some/path /local/path

Instead, you can create a volume using the 'local' driver like so:

docker volume create -d local -o type=nfs -o device=:/some/path -o o=addr=server,rw my_volume

And then use it when you can run the container:

docker run -v my_volume:/local/path ...

When the container starts, the host will handle doing the mount, as the file system will be available to the container. The container needs no capabilities added.

programmerq
  • 6,262
  • 25
  • 40