Run a --privileged docker container in an isolated environment #1551

kochia4 · 2022-11-24T12:29:25Z

kochia4
Nov 24, 2022

Hi everyone!
I need to run a --privileged docker container in an isolated environment, at Kata Slack, they told me that nerdctl seems good option for that.
The docker image needs several kernel features to be enabled on the host:

modprobe binder_linux devices="binder,hwbinder,vndbinder"
modprobe ashmem_linux

and --privileged flag during docker run
The project is here: redroid
I'm interested if I can run the image with nerdctl to ensure the host safety and isolation?

Answered by AkihiroSuda

Nov 25, 2022

nerdctl run --runtime=io.containerd.kata.v2 --privileged --security-opt privileged-without-host-devices might be what you are looking for, but I don't think Kata is likely to support binder and ashmem.
Probably you'll need to fork Kata for your custom kernel config.

View full answer

AkihiroSuda · 2022-11-25T12:21:16Z

AkihiroSuda
Nov 25, 2022
Maintainer

nerdctl run --runtime=io.containerd.kata.v2 --privileged --security-opt privileged-without-host-devices might be what you are looking for, but I don't think Kata is likely to support binder and ashmem.
Probably you'll need to fork Kata for your custom kernel config.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Run a --privileged docker container in an isolated environment #1551

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Run a --privileged docker container in an isolated environment #1551

Uh oh!

Uh oh!

kochia4 Nov 24, 2022

Replies: 1 comment

Uh oh!

AkihiroSuda Nov 25, 2022 Maintainer

kochia4
Nov 24, 2022

AkihiroSuda
Nov 25, 2022
Maintainer