为什么在 docker 容器中禁用 mount 命令
How come mount command is disabled inside a docker container
如何避免在此 docker 会话结束时出现以下错误消息:
$ docker run -it ubuntu /bin/bash
root@b3bcdc4551f5:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@b3bcdc4551f5:/# cd home/
root@b3bcdc4551f5:/home# ls
root@b3bcdc4551f5:/home# mkdir 1
root@b3bcdc4551f5:/home# mkdir 2
root@b3bcdc4551f5:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
更新:
$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash
root@1a6c069a8589:/# cd home/
root@1a6c069a8589:/home# mkdir 1
root@1a6c069a8589:/home# mkdir 2
root@1a6c069a8589:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1a6c069a8589:/home# exit
$ docker run --cap-add=ALL -it ubuntu /bin/bash
root@1e04bcd81fee:/# cd home/
root@1e04bcd81fee:/home# mkdir 1
root@1e04bcd81fee:/home# mkdir 2
root@1e04bcd81fee:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1e04bcd81fee:/home# exit
--有特权也行
尝试遵循 issue 9950 中的建议:
You cannot call mount unless you have CAP_SYS_ADMIN, which is not available in the default container config.
You'd need to docker run --cap-add SYS_ADMIN
自己回答:)
使用“--security-opt apparmor:unconfined”禁用 apparmor 会起作用。
参考:issue 16429
如何避免在此 docker 会话结束时出现以下错误消息:
$ docker run -it ubuntu /bin/bash
root@b3bcdc4551f5:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@b3bcdc4551f5:/# cd home/
root@b3bcdc4551f5:/home# ls
root@b3bcdc4551f5:/home# mkdir 1
root@b3bcdc4551f5:/home# mkdir 2
root@b3bcdc4551f5:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
更新:
$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash
root@1a6c069a8589:/# cd home/
root@1a6c069a8589:/home# mkdir 1
root@1a6c069a8589:/home# mkdir 2
root@1a6c069a8589:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1a6c069a8589:/home# exit
$ docker run --cap-add=ALL -it ubuntu /bin/bash
root@1e04bcd81fee:/# cd home/
root@1e04bcd81fee:/home# mkdir 1
root@1e04bcd81fee:/home# mkdir 2
root@1e04bcd81fee:/home# mount --bind 1 2
mount: block device /home/1 is write-protected, mounting read-only
mount: cannot mount block device /home/1 read-only
root@1e04bcd81fee:/home# exit
--有特权也行
尝试遵循 issue 9950 中的建议:
You cannot call mount unless you have CAP_SYS_ADMIN, which is not available in the default container config.
You'd need todocker run --cap-add SYS_ADMIN
自己回答:)
使用“--security-opt apparmor:unconfined”禁用 apparmor 会起作用。
参考:issue 16429