Merge pull request #20245 from jfrazelle/20082-cap-add-docs-updates
update cap-add docs for seccomp
This commit is contained in:
commit
73ee139d7a
|
@ -1059,6 +1059,14 @@ one can use this flag:
|
||||||
--privileged=false: Give extended privileges to this container
|
--privileged=false: Give extended privileges to this container
|
||||||
--device=[]: Allows you to run devices inside the container without the --privileged flag.
|
--device=[]: Allows you to run devices inside the container without the --privileged flag.
|
||||||
|
|
||||||
|
> **Note:**
|
||||||
|
> With Docker 1.10 and greater, the default seccomp profile will also block
|
||||||
|
> syscalls, regardless of `--cap-add` passed to the container. We recommend in
|
||||||
|
> these cases to create your own custom seccomp profile based off our
|
||||||
|
> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json).
|
||||||
|
> Or if you don't want to run with the default seccomp profile, you can pass
|
||||||
|
> `--security-opt=seccomp:unconfined` on run.
|
||||||
|
|
||||||
By default, Docker containers are "unprivileged" and cannot, for
|
By default, Docker containers are "unprivileged" and cannot, for
|
||||||
example, run a Docker daemon inside a Docker container. This is because
|
example, run a Docker daemon inside a Docker container. This is because
|
||||||
by default a container is not allowed to access any devices, but a
|
by default a container is not allowed to access any devices, but a
|
||||||
|
|
Loading…
Reference in New Issue