如何在docker容器中禁用mount命令

时间:2015-09-18 07:28:22

标签: docker mount

如何在此泊坞窗会话结束时避免以下错误消息:

$ docker run -it ubuntu /bin/bash
root@b3bcdc4551f5:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@b3bcdc4551f5:/# cd home/
root@b3bcdc4551f5:/home# ls
root@b3bcdc4551f5:/home# mkdir 1
root@b3bcdc4551f5:/home# mkdir 2
root@b3bcdc4551f5:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only

更新

$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash
root@1a6c069a8589:/# cd home/
root@1a6c069a8589:/home# mkdir 1
root@1a6c069a8589:/home# mkdir 2
root@1a6c069a8589:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1a6c069a8589:/home# exit
$ docker run --cap-add=ALL -it ubuntu /bin/bash
root@1e04bcd81fee:/# cd home/
root@1e04bcd81fee:/home# mkdir 1
root@1e04bcd81fee:/home# mkdir 2
root@1e04bcd81fee:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1e04bcd81fee:/home# exit

- 特权是可以的。

2 个答案:

答案 0 :(得分:1)

自我回答:)
使用' --security-opt apparmor:unconfine d'停用apparmor会工作的。

参考:issue 16429

答案 1 :(得分:0)

尝试遵循issue 9950中的建议:

  

除非您有CAP_SYS_ADMIN,否则无法调用mount,这在默认容器配置中不可用。
  您需要docker run --cap-add SYS_ADMIN

相关问题
最新问题