summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMark Stosberg <mark@rideamigos.com>2020-01-10 22:02:08 -0500
committerMark Stosberg <mark@rideamigos.com>2020-01-12 23:28:12 -0500
commit9c8e2822cb95679106a26fd4eb92f8323148a619 (patch)
tree76df9806af8fdb5912e6461ec863e3271f755330 /docs
parent0e9c208d3f9fc6f160f7e7746119ddf99ae6f220 (diff)
downloadpodman-9c8e2822cb95679106a26fd4eb92f8323148a619.tar.gz
podman-9c8e2822cb95679106a26fd4eb92f8323148a619.tar.bz2
podman-9c8e2822cb95679106a26fd4eb92f8323148a619.zip
docs: --privileged docs completeness, consistency
As discussed in https://github.com/containers/libpod/issues/4840 Signed-off-by: Mark Stosberg <mark@rideamigos.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/source/markdown/podman-create.1.md4
-rw-r--r--docs/source/markdown/podman-exec.1.md14
-rw-r--r--docs/source/markdown/podman-run.1.md19
3 files changed, 26 insertions, 11 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 2bbe4f70a..fdc2edf39 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -586,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be
Give extended privileges to this container. The default is *false*.
By default, Podman containers are
-“unprivileged” (=false) and cannot, for example, modify parts of the kernel.
+“unprivileged” (=false) and cannot, for example, modify parts of the operating system.
This is because by default a container is not allowed to access any devices.
A “privileged” container is given access to all devices.
@@ -595,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as
turning off most of the security measures protecting the host from the
container.
+Rootless containers cannot have more privileges than the account that launched them.
+
**--publish**, **-p**=*port*
Publish a container's port, or range of ports, to the host
diff --git a/docs/source/markdown/podman-exec.1.md b/docs/source/markdown/podman-exec.1.md
index d46427c91..fc67211d1 100644
--- a/docs/source/markdown/podman-exec.1.md
+++ b/docs/source/markdown/podman-exec.1.md
@@ -43,7 +43,19 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2).
**--privileged**
-Give the process extended Linux capabilities when running the command in container.
+Give extended privileges to this container. The default is *false*.
+
+By default, Podman containers are
+"unprivileged" and cannot, for example, modify parts of the operating system.
+This is because by default a container is only allowed limited access to devices.
+A "privileged" container is given the same access to devices as the user launching the container.
+
+A privileged container turns off the security features that isolate the
+container from the host. Dropped Capabilities, limited devices, read/only mount
+points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+
+Rootless containers cannot have more privileges than the account that launched them.
+
**--tty**, **-t**
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 3f6effb75..d9fdd9650 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -599,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra-
Give extended privileges to this container. The default is *false*.
-By default, Podman containers are “unprivileged” (=false) and cannot,
-for example, modify parts of the kernel. This is because by default a
-container is not allowed to access any devices. A “privileged” container
-is given access to all devices.
-
-When the operator executes **podman run --privileged**, Podman enables access
-to all devices on the host, turns off graphdriver mount options, as well as
-turning off most of the security measures protecting the host from the
-container.
+By default, Podman containers are “unprivileged” (=false) and cannot, for
+example, modify parts of the operating system. This is because by default a
+container is only allowed limited access to devices. A "privileged" container
+is given the same access to devices as the user launching the container.
+
+A privileged container turns off the security features that isolate the
+container from the host. Dropped Capabilities, limited devices, read/only mount
+points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+
+Rootless containers cannot have more privileges than the account that launched them.
**--publish**, **-p**=*port*