New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding instructions in Dockerfile : CMD --privileged sh -c command1 && command2 ...
#47632
Comments
CMD --privileged sh -c command1 && command2 ...
CMD --privileged sh -c command1 && command2 ...
Can you provide more context about what the "privileged" operation would do? Is this to run the command with
The builder is now maintained in the BuildKit project (), and since that ticket, an alternative proposal was created;
Which added However, as the feature (as mentioned earier) is insecure. it requires the BuildKit configuration to be exlicitly configured to allow the feature, as well as entitlements to be passed when triggering the build; #1916 (comment) |
@thaJeztah The purpose of this solution is to ensure that a number of privileged commands are executed in ENTRYPOINT (or before executing ENTRYPOINT ) when the container is runned. At the same time, the entire assembly has been completedand volumes are mounted and networks connected. Also at the same time, we do not assign privileges to the container, thereby maintaining its security. |
As I understand it, it’s better to move this topic to moby/buildkit |
It is intentional that such flags from There are some previous attempts #32801 to let the image define the exact options that it needs, and the user confirms it by allowing access to privileged features, but nothing like this is currently in the works afaik. |
https://docs.docker.com/reference/dockerfile/#run---security The official documentation now says differently. Additional options are currently being added as experimental features to moby/buildkit |
As you said yourself |
The idea was that the user would have the opportunity to declare privileged commands in the Dockerfile before running ENTRYPOINT. In this case, there would be no need to assign privileges to the container (docker run --privileged) From your findings -this means the idea is not feasible. ((( |
@tonistiigi
where in the entrypoint commit the command is only initialized, but not run. RUN entrypoint which records the execution of the entry point after merging commits. Where could be implement additional script (privileged) as additional RUN commit between merged commit and RUN entrypoint commit But these are just thoughts out loud.
|
Description
Newbie. Please don't hit too hard.
It is necessary to run privileged commands during container running.
Adding instructions in Dockerfile :
CMD --privileged sh -c command1 && command2 ...
You can also add such functionality to the CLI
run --privileged-cmd="cmd1&&cmd2"
The command runs after the volumes are initialized.
For example, it will be possible to put such a command only before ENTRYPOINT.
This eliminates the need to assign privileges to the container to be able to execute a privileged command.
This behavior will allow administrators to expand the functionality of the container without endangering it.
The text was updated successfully, but these errors were encountered: