Browse code
update cap-add docs for seccomp
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
(cherry picked from commit 1e92e5fdaab833000d6d3a4f6756cb677cb7899e)
Jessica Frazelle authored on 2016/02/12 06:44:00Showing 1 changed files
| ... | ... |
@@ -1059,6 +1059,14 @@ one can use this flag: |
| 1059 | 1059 |
--privileged=false: Give extended privileges to this container |
| 1060 | 1060 |
--device=[]: Allows you to run devices inside the container without the --privileged flag. |
| 1061 | 1061 |
|
| 1062 |
+> **Note:** |
|
| 1063 |
+> With Docker 1.10 and greater, the default seccomp profile will also block |
|
| 1064 |
+> syscalls, regardless of `--cap-add` passed to the container. We recommend in |
|
| 1065 |
+> these cases to create your own custom seccomp profile based off our |
|
| 1066 |
+> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json). |
|
| 1067 |
+> Or if you don't want to run with the default seccomp profile, you can pass |
|
| 1068 |
+> `--security-opt=seccomp:unconfined` on run. |
|
| 1069 |
+ |
|
| 1062 | 1070 |
By default, Docker containers are "unprivileged" and cannot, for |
| 1063 | 1071 |
example, run a Docker daemon inside a Docker container. This is because |
| 1064 | 1072 |
by default a container is not allowed to access any devices, but a |