opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-18 03:33:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4841 from markstos/issue-4840-improve-privileged-docs

Browse Source 
docs: --privileged docs completeness, consistency
This commit is contained in:
OpenShift Merge Robot
2020-01-13 08:27:15 +01:00
committed by GitHub
parent 55dd73cf58 9c8e2822cb
commit aa554d7ba2
3 changed files with 25 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/source/markdown/podman-create.1.md
View File

@ -586,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be
Give extended privileges to this container. The default is *false*.
By default, Podman containers are
“unprivileged” (=false) and cannot, for example, modify parts of the kernel.
“unprivileged” (=false) and cannot, for example, modify parts of the operating system.
This is because by default a container is not allowed to access any devices.
A “privileged” container is given access to all devices.
@ -595,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as
turning off most of the security measures protecting the host from the
container.
Rootless containers cannot have more privileges than the account that launched them.
**--publish**, **-p**=*port*
Publish a container's port, or range of ports, to the host

14
docs/source/markdown/podman-exec.1.md
View File

@ -43,7 +43,19 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2).
**--privileged**
Give the process extended Linux capabilities when running the command in container.
Give extended privileges to this container. The default is *false*.
By default, Podman containers are
"unprivileged" and cannot, for example, modify parts of the operating system.
This is because by default a container is only allowed limited access to devices.
A "privileged" container is given the same access to devices as the user launching the container.
A privileged container turns off the security features that isolate the
container from the host. Dropped Capabilities, limited devices, read/only mount
points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
Rootless containers cannot have more privileges than the account that launched them.
**--tty**, **-t**

17
docs/source/markdown/podman-run.1.md
View File

@ -599,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra-
Give extended privileges to this container. The default is *false*.
By default, Podman containers are “unprivileged” (=false) and cannot,
for example, modify parts of the kernel. This is because by default a
container is not allowed to access any devices. A privileged container
is given access to all devices.
By default, Podman containers are “unprivileged” (=false) and cannot, for
example, modify parts of the operating system. This is because by default a
container is only allowed limited access to devices. A "privileged" container
is given the same access to devices as the user launching the container.
When the operator executes **podman run --privileged**, Podman enables access
to all devices on the host, turns off graphdriver mount options, as well as
turning off most of the security measures protecting the host from the
container.
A privileged container turns off the security features that isolate the
container from the host. Dropped Capabilities, limited devices, read/only mount
points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
Rootless containers cannot have more privileges than the account that launched them.
**--publish**, **-p**=*port*