No root permission in a docker container image
Clash Royale CLAN TAG#URR8PPP
I test a Docker container (created from Nvidia CUDA image) started with the command:
docker run -i -t xxxxxx /bin/bash
I can see the root prompt, but still don't have privileges for some operations; for example, when I execute:
dmesg
I see "Permission denied". Why?
linux permissions root docker dmesg
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
add a comment |
I test a Docker container (created from Nvidia CUDA image) started with the command:
docker run -i -t xxxxxx /bin/bash
I can see the root prompt, but still don't have privileges for some operations; for example, when I execute:
dmesg
I see "Permission denied". Why?
linux permissions root docker dmesg
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40
add a comment |
I test a Docker container (created from Nvidia CUDA image) started with the command:
docker run -i -t xxxxxx /bin/bash
I can see the root prompt, but still don't have privileges for some operations; for example, when I execute:
dmesg
I see "Permission denied". Why?
linux permissions root docker dmesg
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
I test a Docker container (created from Nvidia CUDA image) started with the command:
docker run -i -t xxxxxx /bin/bash
I can see the root prompt, but still don't have privileges for some operations; for example, when I execute:
dmesg
I see "Permission denied". Why?
linux permissions root docker dmesg
linux permissions root docker dmesg
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
edited Feb 14 at 11:56
Jeff Schaller
43.1k1159137
43.1k1159137
asked Feb 13 at 9:36
MarkMark
836
asked Feb 13 at 9:36
MarkMark
836
asked Feb 13 at 9:36
MarkMark
836
836
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40
add a comment |
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40
add a comment |
1 Answer
1
active
oldest
votes
In modern Linux, being root does not necessarily mean having ultimate permissions. Capabilities mechanism provides more fine-grained control over permissions by breaking root's power in parts which may be granted/revoked to/from specific task individually, and Docker uses this mechanism.
By default, Docker drops many dangerous capabilities when it starts the containerized process, even if this process runs on behalf of root user. This is because the host kernel is shared between all containers and the host system, thus, some system calls from the privileged containerized process may reveal information about (your case) or even affect the "outer world". That is why you see "Permission denied" even while you run dmesg(1) as root.
Internally, dmesg(1) calls syslog(2) system call to obtain the kernel log. As per man capabilities, this system call requires specific capability - CAP_SYSLOG:
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations.
See syslog(2) for information on which operations require privilege.
This capability is dropped in Docker containers by default, so, dmesg(1) in your container fails.
If you trust the vendor of the image, or just don't care a lot about security, you may start the container with additional capability (--cap-add syslog):
docker run -it --cap-add syslog nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04
This will solve your issue.
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500361%2fno-root-permission-in-a-docker-container-image%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In modern Linux, being root does not necessarily mean having ultimate permissions. Capabilities mechanism provides more fine-grained control over permissions by breaking root's power in parts which may be granted/revoked to/from specific task individually, and Docker uses this mechanism.
By default, Docker drops many dangerous capabilities when it starts the containerized process, even if this process runs on behalf of root user. This is because the host kernel is shared between all containers and the host system, thus, some system calls from the privileged containerized process may reveal information about (your case) or even affect the "outer world". That is why you see "Permission denied" even while you run dmesg(1) as root.
Internally, dmesg(1) calls syslog(2) system call to obtain the kernel log. As per man capabilities, this system call requires specific capability - CAP_SYSLOG:
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations.
See syslog(2) for information on which operations require privilege.
This capability is dropped in Docker containers by default, so, dmesg(1) in your container fails.
If you trust the vendor of the image, or just don't care a lot about security, you may start the container with additional capability (--cap-add syslog):
docker run -it --cap-add syslog nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04
This will solve your issue.
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
add a comment |
In modern Linux, being root does not necessarily mean having ultimate permissions. Capabilities mechanism provides more fine-grained control over permissions by breaking root's power in parts which may be granted/revoked to/from specific task individually, and Docker uses this mechanism.
By default, Docker drops many dangerous capabilities when it starts the containerized process, even if this process runs on behalf of root user. This is because the host kernel is shared between all containers and the host system, thus, some system calls from the privileged containerized process may reveal information about (your case) or even affect the "outer world". That is why you see "Permission denied" even while you run dmesg(1) as root.
Internally, dmesg(1) calls syslog(2) system call to obtain the kernel log. As per man capabilities, this system call requires specific capability - CAP_SYSLOG:
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations.
See syslog(2) for information on which operations require privilege.
This capability is dropped in Docker containers by default, so, dmesg(1) in your container fails.
If you trust the vendor of the image, or just don't care a lot about security, you may start the container with additional capability (--cap-add syslog):
docker run -it --cap-add syslog nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04
This will solve your issue.
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
add a comment |
In modern Linux, being root does not necessarily mean having ultimate permissions. Capabilities mechanism provides more fine-grained control over permissions by breaking root's power in parts which may be granted/revoked to/from specific task individually, and Docker uses this mechanism.
By default, Docker drops many dangerous capabilities when it starts the containerized process, even if this process runs on behalf of root user. This is because the host kernel is shared between all containers and the host system, thus, some system calls from the privileged containerized process may reveal information about (your case) or even affect the "outer world". That is why you see "Permission denied" even while you run dmesg(1) as root.
Internally, dmesg(1) calls syslog(2) system call to obtain the kernel log. As per man capabilities, this system call requires specific capability - CAP_SYSLOG:
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations.
See syslog(2) for information on which operations require privilege.
This capability is dropped in Docker containers by default, so, dmesg(1) in your container fails.
If you trust the vendor of the image, or just don't care a lot about security, you may start the container with additional capability (--cap-add syslog):
docker run -it --cap-add syslog nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04
This will solve your issue.
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
In modern Linux, being root does not necessarily mean having ultimate permissions. Capabilities mechanism provides more fine-grained control over permissions by breaking root's power in parts which may be granted/revoked to/from specific task individually, and Docker uses this mechanism.
By default, Docker drops many dangerous capabilities when it starts the containerized process, even if this process runs on behalf of root user. This is because the host kernel is shared between all containers and the host system, thus, some system calls from the privileged containerized process may reveal information about (your case) or even affect the "outer world". That is why you see "Permission denied" even while you run dmesg(1) as root.
Internally, dmesg(1) calls syslog(2) system call to obtain the kernel log. As per man capabilities, this system call requires specific capability - CAP_SYSLOG:
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations.
See syslog(2) for information on which operations require privilege.
This capability is dropped in Docker containers by default, so, dmesg(1) in your container fails.
If you trust the vendor of the image, or just don't care a lot about security, you may start the container with additional capability (--cap-add syslog):
docker run -it --cap-add syslog nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04
This will solve your issue.
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
edited Feb 14 at 10:55
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
answered Feb 14 at 10:41
Danila KiverDanila Kiver
470212
470212
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500361%2fno-root-permission-in-a-docker-container-image%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
How did you install the image etc etc?
– Tommiie
Feb 13 at 9:44
docker pull nvcr.io/nvidia/cuda:9.0-devel-ubuntu16.04 ( newbie to container, just follow the steps. )
– Mark
Feb 14 at 1:40