moby: Unable to mount within a container even w/ `--cap-add=SYS_ADMIN`
According to docke run reference #Runtime privilege, Linux capabilities, and LXC configuration session, it should enable mount syscall w/ --cap-add=SYS_ADMIN
.
This is also confirmed by someone who opened #9950 with docker 1.5.
Yet it doesn’t work for me now. Is this expected?
How to reproduce
$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash
root@1a6c069a8589:/# cd home/
root@1a6c069a8589:/home# mkdir 1
root@1a6c069a8589:/home# mkdir 2
root@1a6c069a8589:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1a6c069a8589:/home# exit
$ docker run --cap-add=ALL -it ubuntu /bin/bash
root@1e04bcd81fee:/# cd home/
root@1e04bcd81fee:/home# mkdir 1
root@1e04bcd81fee:/home# mkdir 2
root@1e04bcd81fee:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1e04bcd81fee:/home# exit
--privileged
is all right though. FYI.
ENV
docker version: 1.7.1 platform: ubuntu 12.04
/cc @cpuguy83
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 21 (16 by maintainers)
Commits related to this issue
- Remove non-determinism to improve reproducibility - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disorderfs for sta... — committed to shesek/spark-wallet by shesek 6 years ago
- Remove non-determinism to improve reproducibility - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disorderfs for sta... — committed to shesek/spark-wallet by shesek 6 years ago
- Remove non-determinism to improve reproducibility - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disorderfs for sta... — committed to shesek/spark-wallet by shesek 6 years ago
- Remove non-determinism to improve reproducibility - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disorderfs for sta... — committed to shesek/spark-wallet by shesek 6 years ago
- Remove non-determinism to improve reproducibility - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disorderfs for sta... — committed to shesek/spark-wallet by shesek 6 years ago
- Improve reproducibility under different hosts and filesystems - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disord... — committed to shesek/spark-wallet by shesek 6 years ago
- Improve reproducibility under different hosts and filesystems - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use a disord... — committed to shesek/spark-wallet by shesek 6 years ago
- Improve reproducibility under different host envirnoments - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use disorderfs f... — committed to shesek/spark-wallet by shesek 6 years ago
- Improve reproducibility under different host envirnoments - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use disorderfs f... — committed to shesek/spark-wallet by shesek 6 years ago
- Improve reproducibility under different host envirnoments - Reset file attrs for all files included in npm package (as listed on https://docs.npmjs.com/files/package.json#files) - Use disorderfs f... — committed to shesek/spark-wallet by shesek 6 years ago
- new attempt at working around the /dev/shm issue (https://github.com/moby/moby/issues/16429#issuecomment-214810198) — committed to nicoulaj/archiso by nicoulaj 5 years ago
- Disable apparmor on Ubuntu On Ubuntu apparmor prevents portage from mounting anything. Following [1] disable apparmor as a workaround. [1] https://github.com/moby/moby/issues/16429 — committed to nicolasbock/ebuildtester by nicolasbock 4 years ago
- DEL: docker run with `--cap-add SYS_ADMIN` https://github.com/moby/moby/issues/16429 — committed to whoisnian/nfsv4-server-docker by whoisnian a year ago
- DEL: docker run with `--cap-add SYS_ADMIN` https://github.com/moby/moby/issues/16429 — committed to whoisnian/nfsv4-server-docker by whoisnian a year ago
Yeah as long as I launch with “docker run --cap-add=SYS_ADMIN --security-opt apparmor:unconfined” then I am able to mount on a container under Synology DSM6 without having to run in privileged mode, just for anybody who stumbles across this in the future.
Users are not advised to disable AppArmor globally. This can be disabled per-container using ‘–security-opt apparmor:unconfined’.
I had the same issue and launching with
docker run --cap-add=SYS_ADMIN --security-opt apparmor:unconfined
worked for me. Thanks.Disabling apparmor indeed fixes the issue. However, something extra must be going on because if I only change the default kernel in
/boot/grub/grub.conf
and nothing else, it is enough to go between working and not working.