kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

update cap-add docs for seccomp 

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
Jessica Frazelle 2016-02-11 13:44:00 -08:00
parent 944e4cab2e
commit 1e92e5fdaa
No known key found for this signature in database
GPG Key ID: 18F3685C0022BFF3
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/reference/run.md
View File

@ -1059,6 +1059,14 @@ one can use this flag:
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
> **Note:**
> With Docker 1.10 and greater, the default seccomp profile will also block
> syscalls, regardless of `--cap-add` passed to the container. We recommend in
> these cases to create your own custom seccomp profile based off our
> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json).
> Or if you don't want to run with the default seccomp profile, you can pass
> `--security-opt=seccomp:unconfined` on run.
By default, Docker containers are "unprivileged" and cannot, for
example, run a Docker daemon inside a Docker container. This is because
by default a container is not allowed to access any devices, but a