Menu
I made a packet-sending app image based on Ubuntu, and install tcpdump. When I start the container with --privileged and try to tcpdump -i eth0, it reports an error:
root@test:/home/test# docker run --rm -ti --privileged mytliulei/xfdsend /bin/bash
root@6199493fb2b9:/# tcpdump -i eth0
tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: Permission denied
But when I start the Docker container without --privileged, it is ok. why?
root@test:/home/test# docker run --rm -ti mytliulei/xfdsend /bin/bash
root@c7b7e2a9ec99:/# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Docker version:
docker version
Client version: 1.6.0
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 4749651
OS/Arch (client): linux/amd64
Server version: 1.6.0
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 4749651
OS/Arch (server): linux/amd64
Dockerfile:
FROM ubuntu:14.04
MAINTAINER Liu Lei <[email protected]>
RUN apt-get update \
&& apt-get install -y python \
python-dev \
tcpdump
RUN pip2 install scapy \
&& pip2 install rpyc \
&& pip2 install robotremoteserver \
&& pip2 install daemonocle
869
What is Docker Privileged Mode? Docker privileged mode grants a Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives it the capabilities of its host machine. For example, it enables it to modify App Arm and SELinux configurations.
privileged : determines if any container in a pod can enable privileged mode. By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.
By default, containers do not run in a privileged mode. For a container to run as a privileged application, the user must “flag” it to enable all capabilities to the container or pod. In other words, when a container is in a privileged mode, you are giving the container all the capabilities that a host can perform.
We have run the 'fdisk –l' command to check that the container is running under privilege mode. Notes: Any command that requires privilege flag to be successful can be used to test the privilege mode inside the container.
I bumped into this error some days ago, the error seems to be related to:
https://github.com/dotcloud/docker/issues/5490
a workaround that worked for me is moving tcpdump:
(e.g. mv in tcpdump with dockerfile)
RUN apt-get -y install tcpdump
RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
