如何在docker容器内禁用mount命令
如何避免在此泊坞窗会话结束时出现以下错误消息:
$ docker run -it ubuntu /bin/bash root@b3bcdc4551f5:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var root@b3bcdc4551f5:/# cd home/ root@b3bcdc4551f5:/home# ls root@b3bcdc4551f5:/home# mkdir 1 root@b3bcdc4551f5:/home# mkdir 2 root@b3bcdc4551f5:/home# mount --bind 1 2 mount: block device /home/1 is write-protected, mounting read-only mount: cannot mount block device /home/1 read-only 更新:
$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash root@1a6c069a8589:/# cd home/ root@1a6c069a8589:/home# mkdir 1 root@1a6c069a8589:/home# mkdir 2 root@1a6c069a8589:/home# mount --bind 1 2 mount: block device /home/1 is write-protected, mounting read-only mount: cannot mount block device /home/1 read-only root@1a6c069a8589:/home# exit $ docker run --cap-add=ALL -it ubuntu /bin/bash root@1e04bcd81fee:/# cd home/ root@1e04bcd81fee:/home# mkdir 1 root@1e04bcd81fee:/home# mkdir 2 root@1e04bcd81fee:/home# mount --bind 1 2 mount: block device /home/1 is write-protected, mounting read-only mount: cannot mount block device /home/1 read-only root@1e04bcd81fee:/home# exit
– 特权是可以的。
自我回答:)
使用' --security-opt apparmor:unconfine d'禁用apparmor将工作。
Ref: issue 16429
尝试遵循问题9950中的build议:
你不能调用mount,除非你有CAP_SYS_ADMIN,这在默认的容器configuration中是不可用的。
你需要docker run --cap-add SYS_ADMIN