Docker: Sys_Admin Cap Reason?

[jakobkukla]

Description

Hey,

Can I run the docker container without the SYS_ADMIN cap? I usually like to run my containers in unprivileged mode, since it otherwise defeats the whole purpose of sandboxing with containerization.

If not, I suspect there must be a specific reason for the privileged mode. Sorry if I'm missing something obvious. It's late around here...

Thanks

[perfectly-preserved-pie]

I'd like to know this too. I'm curious to know what part of the bot requires (almost) root access to the host.

[riskynacho]

I haven't ran this in docker but I suspect it for those mac users who want to receive external calls to play sounds and open browsers.

[jef]

I agree! I would really not like to have this run as privileged mode. Unfortunately, Chromium doesn't like running without these priveledges.

Take a look here.

Seeing other weird errors when launching Chrome? Try running your container with docker run --cap-add=SYS_ADMIN when developing locally. Since the Dockerfile adds a pptr user as a non-privileged user, it may not have all the necessary privileges.

If you find anything in there and do some testing, I'd love to not have this requirement! Otherwise, it is a side effect with running in Docker.

[rchenzheng]

Thanks for your reply, I found this very concerning. Should we be looking at a solution to this as an issue?

[jef]

It's actually being worked on here now! #1291