4

without using volumes -v

I can add --privileged to docker run but I can't mount arbitrary volumes because I depend on another tool to create docker containers so my question is how can I get full access to the docker host file system with --privileged=true, is that enough?

In particular need to access the host /run/ from within the docker container. I can also include --cap-add so that may help. The only thing I can't do is to mount volumes.

Leo Gallucci
  • 16,355
  • 12
  • 77
  • 110
  • You should use volumes, see the docs http://docs.docker.com/userguide/dockervolumes/ for example `docker run -v /run:/run` – user2915097 Jun 28 '15 at 13:23
  • As tried to express in the question, I'm not in control of the docker run command and can't add `-v` but I can do other things like set privileged true or even enable any Linux capability. – Leo Gallucci Jun 28 '15 at 18:57
  • Do you have to mount the /run directory, or is it enough to be able to copy to/from it? – Assaf Lavie Jun 28 '15 at 20:45
  • I need read/write access – Leo Gallucci Jun 28 '15 at 21:13
  • docker is basically process isolation, a container should not be able to do much on the host. There is something wrong if you are not able to launch a run command with the correct parameters – user2915097 Jun 29 '15 at 13:10
  • In theory `--privileged` gives you access to all devices which would let you to manually mount hard drives, but it sounds like you don't have access to the container to change it to mount those drives? That implies that the container *already* expects to access `/run/`, but doesn't actually declare it as a volume? This is confusing... can you talk more about what you are actually trying to accomplish with this access? – GrandOpener Jan 06 '16 at 22:26
  • 1
    I'm looking for a knowledgeable answer rather than a "In theory" – Leo Gallucci Jan 07 '16 at 12:51

1 Answers1

4

I was facing the similar situation. I wanted to access the full filesystem of host, from the privileged container itself. The way I did it was to change the namespace to host namespace then execute a command. That command actually acts on host.

Run on host to start container:

docker run --privileged --pid=host -it xxxxxx

Run in container

nsenter -t 1 -m -u -n -i <COMMAND>

The COMMAND will be executed on host.

Brad Pitt
  • 398
  • 3
  • 11