docker/cli
1
0
Fork 0
mirror of https://github.com/docker/cli.git synced 2026-01-26 15:41:42 +03:00
Code Activity

Run privileged containers when userns are specified

Browse Source 
Following #19995 and #17409 this PR enables skipping userns re-mapping
when creating a container (or when executing a command). Thus, enabling
privileged containers running side by side with userns remapped
containers.

The feature is enabled by specifying ```--userns:host```, which will not
remapped the user if userns are applied. If this flag is not specified,
the existing behavior (which blocks specific privileged operation)
remains.

Signed-off-by: Liron Levin <liron@twistlock.com>
This commit is contained in:
Liron Levin
2016-02-08 16:23:24 +02:00
committed by Tibor Vass
parent b2b5bc9937
commit ce28fa45b0
5 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
man/docker-create.1.md
View File

@@ -58,6 +58,7 @@ docker-create - Create a new container
[**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]]
[**--userns**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**]
[**--read-only**]
@@ -291,6 +292,10 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
**host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--userns**=""
Set the usernamespace mode for the container when `userns-remap` option is enabled.
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container.

5
man/docker-run.1.md
View File

@@ -60,6 +60,7 @@ docker-run - Run a command in a new container
[**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]]
[**--userns**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**]
[**--read-only**]
@@ -421,6 +422,10 @@ Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPO
**host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--userns**=""
Set the usernamespace mode for the container when `userns-remap` option is enabled.
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container.