Closed zwimer closed 7 months ago
Hi, thanks for the issue. Yeah, using --cap-add
instead of --privileged
was the initial plan for me as well. But unfortunately, during testing, I didn't get it to work (Which could be because of lack of knowledge back then). I don't know which parts were making problems, as that was a few years ago, but it was probably either storage, network or maybe minor parts of memory.
If you have the time to test it out, please let me know if you find out which caps are the correct ones.
So I have now tested it out and even with the --cap-add=ALL
flag, some features do not work, when omitting the --privileged
flag.
Here is a screenshot on a linux box with --cap-add=ALL
:
And here is a screenshot of the same linux box with --privileged
:
So what you can see immediately, the following is different:
So in the current state, I conclude that running without --privileged
is not possible. If you find any other way, feel free to let me know!
It might be worth mentioning, in case this is ever revisited or someone wants to make a PR:
In addition to capabilities; privileged does a few other things; specifically regarding devices (including network devices as far as I'm aware) which might be useful here given the snapshots above lack info about storage devices and network devices it seems.
https://stackoverflow.com/questions/66635237/difference-between-privileged-and-cap-add-all-in-docker
Description of the feature
In the README, instructions are given using the
--privileged
flag; this makes running the program in a docker container and exposing it inherently dangerous. If we know which capabilities specifically were needed, it would make the whole setup a lot safer as then we could add only those (and could not-add those we were not comfortable with).It'd be nice if in the README it said something like (this example uses fake info since as per the issue I do not know the real caps necessary or why):
Additional context
A list of linux capabilities can be found here: https://man7.org/linux/man-pages/man7/capabilities.7.html
If you know every feature that doesn't work without privileged (and do not know which capabilities are needed) one could discover them just by just testing a dozen times, removing capabilities until only those necessary for functionality remain.