diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-01-13 08:27:15 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-13 08:27:15 +0100 |
commit | aa554d7ba250390ac2383165edecc27f37a07896 (patch) | |
tree | 700e505711b9ef502873ce250f1b621a16ae3053 /docs/source | |
parent | 55dd73cf5830eb44128f5b580cee3fb1e74dbea6 (diff) | |
parent | 9c8e2822cb95679106a26fd4eb92f8323148a619 (diff) | |
download | podman-aa554d7ba250390ac2383165edecc27f37a07896.tar.gz podman-aa554d7ba250390ac2383165edecc27f37a07896.tar.bz2 podman-aa554d7ba250390ac2383165edecc27f37a07896.zip |
Merge pull request #4841 from markstos/issue-4840-improve-privileged-docs
docs: --privileged docs completeness, consistency
Diffstat (limited to 'docs/source')
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 4 | ||||
-rw-r--r-- | docs/source/markdown/podman-exec.1.md | 14 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 19 |
3 files changed, 26 insertions, 11 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 2bbe4f70a..fdc2edf39 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -586,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be Give extended privileges to this container. The default is *false*. By default, Podman containers are -“unprivileged” (=false) and cannot, for example, modify parts of the kernel. +“unprivileged” (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. @@ -595,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. +Rootless containers cannot have more privileges than the account that launched them. + **--publish**, **-p**=*port* Publish a container's port, or range of ports, to the host diff --git a/docs/source/markdown/podman-exec.1.md b/docs/source/markdown/podman-exec.1.md index d46427c91..fc67211d1 100644 --- a/docs/source/markdown/podman-exec.1.md +++ b/docs/source/markdown/podman-exec.1.md @@ -43,7 +43,19 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2). **--privileged** -Give the process extended Linux capabilities when running the command in container. +Give extended privileges to this container. The default is *false*. + +By default, Podman containers are +"unprivileged" and cannot, for example, modify parts of the operating system. +This is because by default a container is only allowed limited access to devices. +A "privileged" container is given the same access to devices as the user launching the container. + +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read/only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. + **--tty**, **-t** diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 3f6effb75..d9fdd9650 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -599,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Give extended privileges to this container. The default is *false*. -By default, Podman containers are “unprivileged” (=false) and cannot, -for example, modify parts of the kernel. This is because by default a -container is not allowed to access any devices. A “privileged” container -is given access to all devices. - -When the operator executes **podman run --privileged**, Podman enables access -to all devices on the host, turns off graphdriver mount options, as well as -turning off most of the security measures protecting the host from the -container. +By default, Podman containers are “unprivileged” (=false) and cannot, for +example, modify parts of the operating system. This is because by default a +container is only allowed limited access to devices. A "privileged" container +is given the same access to devices as the user launching the container. + +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read/only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. **--publish**, **-p**=*port* |