-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs freshness updates to Docker run command docs #4144
Docs freshness updates to Docker run command docs #4144
Conversation
Thank you for contributing! It appears your commit message is missing a DCO sign-off, We require all commit messages to have a
There is no need to open a new pull request, but to fix this (and make CI pass), Unfortunately, it's not possible to do so through GitHub's web UI, so this needs You can find some instructions in the output of the DCO check (which can be found Steps to do so "roughly" come down to:
Sorry for the hassle (I wish GitHub would make this a bit easier to do), and let me know if you need help or more detailed instructions! |
2f2b297
to
6d66dda
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #4144 +/- ##
==========================================
- Coverage 58.87% 58.86% -0.01%
==========================================
Files 570 572 +2
Lines 49558 49572 +14
==========================================
+ Hits 29178 29182 +4
- Misses 18616 18624 +8
- Partials 1764 1766 +2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Quite some improvements in here. While reading, I found some issues, and left some comments (some aren't new, but might be something we need to look into, which can be in a follow up)
Let me know if you want to go through some of them!
filesystems). However, the `--privileged` flag will allow it to run: | ||
This *doesn't* work, because by default, Docker drops most potentially dangerous kernel | ||
capabilities, including `cap_sys_admin` (which is required to mount | ||
filesystems). However, the `--privileged` flag allows it to run: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a follow-up, we should make a pass at searching for --privileged
examples. Using --privileged
is a BIG hammer, and effectively disables all security that containers provide (making a privileged container effectively "not a container", or a container that "doesn't contain). For cases where we can we should document the minimum amount of (additional) privileges needed. (And have a canonical section on "privileged" with tons of
For this specific example, it looks like we need CAP_SYS_ADMIN
, so the example can look like;
$ docker run -it --cap-add CAP_SYS_ADMIN ubuntu bash
root@50e3f57e16e6:/# mount -t tmpfs none /mnt
root@50e3f57e16e6:/# df -h
Filesystem Size Used Avail Use% Mounted on
none 1.9G 0 1.9G 0% /mnt
Or even (using alpine
);
$ docker run -it --cap-add CAP_SYS_ADMIN alpine
/ # mount -t tmpfs none /mnt
/ # df -h
Filesystem Size Used Available Use% Mounted on
overlay 58.4G 27.8G 27.6G 50% /
tmpfs 64.0M 0 64.0M 0% /dev
shm 64.0M 0 64.0M 0% /dev/shm
/dev/vda1 58.4G 27.8G 27.6G 50% /etc/resolv.conf
/dev/vda1 58.4G 27.8G 27.6G 50% /etc/hostname
/dev/vda1 58.4G 27.8G 27.6G 50% /etc/hosts
tmpfs 64.0M 0 64.0M 0% /proc/kcore
tmpfs 64.0M 0 64.0M 0% /proc/keys
tmpfs 64.0M 0 64.0M 0% /proc/timer_list
tmpfs 3.8G 0 3.8G 0% /sys/firmware
none 3.8G 0 3.8G 0% /mnt
I should note that the existing example only shows the "essential" lines from the output (the mnt
mount) for illustrational purposes.
- I guess we could make it
df -h | grep mnt
(so that the output matches actual output) but we'd loose the headers :thinking_face: - Should we use a mount destination that more clearly stands out as "this is an example"? (
mkdir /example-mount && mount -t tmpfs none /example-mount
)? Note that the existing example uses/mnt
(which already exists), but other locations won't (so users would run into an error).
Some other bits (for follow-ups);
- Review the "Runtime privilege and Linux capabilities" to check if the list of capabilities is complete (recent kernel versions added some new capabilities).
- While we accept both
SYS_ADMIN
andCAP_SYS_ADMIN
(as well as lowercase variants), I know that internally (at least daemon-side) we normalize toCAP_SOME_CAPABILITY
(see https://github.com/moby/moby/blob/58c027ac8ba19a3fa339c65274ea6704ccbec977/oci/caps/utils.go#L56-L79), so I wonder if we should update examples (and the table) to use the same for consistency - Some examples use
ubuntu
(ubuntu:latest
); there's two issues there (possibly worth considering);- depending on the example,
ubuntu
may not always be needed, and we could make the examples more lightweight by usingalpine
(alpine'sapk add --no-cache
install is super fast as well, which makes it great to provide quick examples that need additional packages installed), and we should probably preferalpine
overbusybox
(where we use it). - this might be a bit of a stretch, but
:latest
(while it reduces maintenance on our side) rarely is "best practice". Now, this is a bit of a grey area; for quick "one-off" things (such asdocker run alpine echo hello
), or other things one may do, I guess "it's fine" (don't want to be typing too much). On the other hand, building an image usingubuntu:latest
(e.g.) is definitely not the way to go (latest
may be a new version of Ubuntu "tomorrow", and break your image!) so we need to find the right balance between that (show best practices where needed to make users familiar with them).
- depending on the example,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah The existing text around this example says…
This doesn't work, because by default, Docker drops most potentially dangerous kernel
capabilities, includingCAP_SYS_ADMIN
(which is required to mount
filesystems).
So is that also wrong? As the proposed example uses something the text explicitly says won't work.
And noted for all the follow up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChrisChinchilla the example is correct that it doesn't work. The issue here is a bit that we use --privileged
to work around that, whereas (for this example) just adding the CAP_SYS_ADMIN
capability would've worked.
--privileged
is a bit of a big hammer (and should be avoided in most cases, as it removes all security that a container provides); granting CAP_SYS_ADMIN
is just one thing it does (it grants "all capabilities", but also disables seccomp, selinux, apparmor, and grants access to some paths that are otherwise protected.
TL;DR it works, but should not be the recommended approach for this specific case
filesystems). However, the `--privileged` flag will allow it to run: | ||
This *doesn't* work, because by default, Docker drops most potentially dangerous kernel | ||
capabilities, including `cap_sys_admin` (which is required to mount | ||
filesystems). However, the `--privileged` flag allows it to run: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChrisChinchilla the example is correct that it doesn't work. The issue here is a bit that we use --privileged
to work around that, whereas (for this example) just adding the CAP_SYS_ADMIN
capability would've worked.
--privileged
is a bit of a big hammer (and should be avoided in most cases, as it removes all security that a container provides); granting CAP_SYS_ADMIN
is just one thing it does (it grants "all capabilities", but also disables seccomp, selinux, apparmor, and grants access to some paths that are otherwise protected.
TL;DR it works, but should not be the recommended approach for this specific case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changes LGTM; could you squash the commits?
ac90042
to
cd6f2ee
Compare
@thaJeztah Done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
oh! looks like the markdown needs to be regenerated; let me do so quickly |
Signed-off-by: Chris Chinchilla <chris.ward@docker.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cd6f2ee
to
e693e7f
Compare
All green now 👍 |
This ended up being a lot more changes than expected, but is something of a refresh for consistency, style, understanding, and freshness.