5.2.2 Controlling Capabilities and Making Host Devices Available to Containers

If you specify the --privileged=true option to docker create or docker run, the container has access to all the devices on the host, which can present a security risk. For more precise control, you can use the --cap-add and --cap-drop options to restrict the capabilities of a container, for example:

[root@host ~]# docker run --cap-add=ALL --cap-drop=NET_ADMIN -i -t --rm oraclelinux:7
[root@guest /]# ip route del default
RTNETLINK answers: Operation not permitted

This example grants all capabilities except NET_ADMIN to the container so that it is not able to perform network-administration operations. For more information, see the capabilities(7) manual page.

To make only individual devices on the host available to a container, you can use the --device option with docker run and docker create:

--device=host_devname[:container_devname[:permissions]]

host_devname is the name of the host device.

container_devname is an optional name for the name of the device in the container.

permissions optionally specifies the permissions that the container has on the device, which is a combination of the following codes:

m

Grants mknod permission. For example, you can use mknod to set permission bits or the SELinux context for the device file.

r

Grants read permission.

w

Grants write permission. For example, you can use a command such as mkfs to format the device.

For example, --device=/dev/sdd:/dev/xvdd:r would make the host device /dev/sdd available to the container as the device /dev/xvdd with read-only permission.

Warning

Do not make block devices that can easily be removed from the system available to untrusted containers.