From 9e34c42d20ef95225bb6c36235d22935365cbef9 Mon Sep 17 00:00:00 2001 From: James Turnbull Date: Sun, 7 Sep 2014 22:49:46 -0400 Subject: [PATCH] Added --device flag to run reference Docker-DCO-1.1-Signed-off-by: James Turnbull (github: jamtur01) --- docs/sources/reference/run.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/sources/reference/run.md b/docs/sources/reference/run.md index 6dc7b40721..1b56c74299 100644 --- a/docs/sources/reference/run.md +++ b/docs/sources/reference/run.md @@ -231,6 +231,7 @@ them via Docker. --cap-add: Add Linux capabilities --cap-drop: Drop Linux capabilities --privileged=false: Give extended privileges to this container + --device=[]: Allows you to run devices inside the container without the --privileged flag. --lxc-conf=[]: (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" By default, Docker containers are "unprivileged" and cannot, for @@ -243,11 +244,17 @@ https://www.kernel.org/doc/Documentation/cgroups/devices.txt)). When the operator executes `docker run --privileged`, Docker will enable to access to all devices on the host as well as set some configuration -in AppArmor to allow the container nearly all the same access to the +in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with `--privileged` is available on the [Docker Blog](http://blog.docker.com/2013/09/docker-can-now-run-within-docker/). +If you want to limit access to a specific device or devices you can use +the `--device` flag. It allows you to specify one or more devices that +will be accessible within the container. + + $ docker run --device=/dev/snd:/dev/snd ... + In addition to `--privileged`, the operator can have fine grain control over the capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default list of capabilities that are kept. Both flags support the value `all`, so if the