The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

4.2.2 Controlling Capabilities and Making Host Devices Available to Containers

If you specify the --privileged=true option to docker create or docker run, the container has access to all the devices on the host, which can present a security risk. For more precise control, you can use the --cap-add and --cap-drop options in version 1.2.0 and later of Docker to restrict the capabilities of a container, for example:

[root@host ~]# docker run --cap-add=ALL --cap-drop=NET_ADMIN -i -t --rm oraclelinux:6 /bin/bash
[root@9e9a632f6e92 /]# ip route del default
RTNETLINK answers: Operation not permitted

This example grants all capabilities except NET_ADMIN to the container so that it is not able to perform network-administration operations. For more information, see the capabilities(7) manual page.

To make only individual devices on the host available to a container, you can use the --device option with docker run in version 1.2.0 and later of Docker and with docker create in version 1.3.0 and later:


host_devname is the name of the host device.

container_devname is an optional name for the name of the device in the container.

permissions optionally specifies the permissions that the container has on the device, which is a combination of the following codes:


Grants mknod permission. For example, you can use mknod to set permission bits or the SELinux context for the device file.


Grants read permission.


Grants write permission. For example, you can use a command such as mkfs to format the device.

For example, --device=/dev/sdd:/dev/xvdd:r would make the host device /dev/sdd available to the container as the device /dev/xvdd with read-only permission.


Do not make block devices that can easily be removed from the system available to untrusted containers.