moby: Unable to mount within a container even w/ `--cap-add=SYS_ADMIN`

According to docke run reference #Runtime privilege, Linux capabilities, and LXC configuration session, it should enable mount syscall w/ --cap-add=SYS_ADMIN. This is also confirmed by someone who opened #9950 with docker 1.5. Yet it doesn’t work for me now. Is this expected?

How to reproduce

$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash
root@1a6c069a8589:/# cd home/
root@1a6c069a8589:/home# mkdir 1
root@1a6c069a8589:/home# mkdir 2
root@1a6c069a8589:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1a6c069a8589:/home# exit
$ docker run --cap-add=ALL -it ubuntu /bin/bash
root@1e04bcd81fee:/# cd home/
root@1e04bcd81fee:/home# mkdir 1
root@1e04bcd81fee:/home# mkdir 2
root@1e04bcd81fee:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1e04bcd81fee:/home# exit

--privileged is all right though. FYI.

ENV

docker version: 1.7.1 platform: ubuntu 12.04

/cc @cpuguy83

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 21 (16 by maintainers)

Commits related to this issue

Most upvoted comments

Yeah as long as I launch with “docker run --cap-add=SYS_ADMIN --security-opt apparmor:unconfined” then I am able to mount on a container under Synology DSM6 without having to run in privileged mode, just for anybody who stumbles across this in the future.

Users are not advised to disable AppArmor globally. This can be disabled per-container using ‘–security-opt apparmor:unconfined’.

I had the same issue and launching with docker run --cap-add=SYS_ADMIN --security-opt apparmor:unconfined worked for me. Thanks.

Disabling apparmor indeed fixes the issue. However, something extra must be going on because if I only change the default kernel in /boot/grub/grub.conf and nothing else, it is enough to go between working and not working.