问题描述

如果我以特权模式运行容器，是否具有所有内核功能，还是需要单独添加？

If I am running a container in privileged mode, does it have all the Kernel capabilities or do I need to add them separately?

推荐答案

以特权模式运行确实给了容器所有功能。
但是，总是给容器一个容器需要的最低要求是最好的做法
如果你看Docker文档，他们也参考这个标志

Running in privileged mode indeed gives the container all capabilities.But it is good practice to always give a container the minimum requirements it needsIf you look at Docker docs they also refer to this flag

--privileged标志为容器提供了所有功能，同时也提升了所有限制由设备cgroup控制器。换句话说，容器可以做几乎主机可以做的一切。这个标志存在允许特殊用例，例如在Docker内运行Docker。

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

您可以使用 - cap-add 标志。请参阅了解更多有关这些功能的信息。可以使用文字名称，例如 - cap-add CAP_FOWNER 。

You can give specific capabilities using --cap-add flag. See man 7 capabilities for more info on those capabilities. The literal names can be used, e.g. --cap-add CAP_FOWNER.

这篇关于特权容器和功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！