Trying to run this with the proposed command from the docs causes the following error for me:

$ docker run --name dokuwiki -it -v /tmp/volume/:/overlay/storage --cap-add=SYS_ADMIN -p 8090:80 splitbrain/dokuwiki
mount: /var/www/html: cannot mount overlay read-only.

Only when I add --privileged it actually works. Does this mean --cap-add=SYS_ADMIN doesn't provide enough permissions to create the overlayfs?

Hmm good question. SYS_ADMIN is enough on my system. Might be a question of docker and kernel version?

$ docker --version
Docker version 20.10.1, build 831ebeae96
$ uname -a
Linux rumpel 5.9.14-arch1-1 #1 SMP PREEMPT Sat, 12 Dec 2020 14:37:12 +0000 x86_64 GNU/Linux

Hmm good question. SYS_ADMIN is enough on my system. Might be a question of docker and kernel version?

Possible. I'm not really a docker expert, unfortunately. I'm running the 5.10 kernel. Not sure if that's enough to explain the different results.

$ docker --version
Docker version 20.10.1, build 831ebeae96
$ uname -a
Linux tp-fs 5.10.2-2-MANJARO #1 SMP PREEMPT Tue Dec 22 08:14:42 UTC 2020 x86_64 GNU/Linux

@splitbrain If you're interested you can take some inspiration with my image: https://github.com/crazy-max/docker-dokuwiki

This is an interesting approach for sure, but I fear that the need for the container to have CAP_SYS_ADMIN may be a non-starter for some, it's a very broad privilege (even referred to as "overloaded" and "the new root" in man capabilities). I wonder if there is some better way to accomplish the same goal.

I'm glad to see thought and effort being put toward this regardless.

What about just dropping that capability after mounting? Then the security impact should be minimal.

I guess the same could be achieved using a FUSE based overlay FS like https://github.com/containers/fuse-overlayfs When I have time I'll do some tests.

Hmm seems like fuse needs a privileged container as well. I didn't expect that, what a bummer. @michitux how would I drop the privileges after mounting?

Hmm seems like fuse needs a privileged container as well. I didn't expect that, what a bummer. @michitux how would I drop the privileges after mounting?

A quick search gave me this page:

• https://linux-audit.com/linux-capabilities-101/

so, in entrypoing script, instead of invoking bash or httpd (whatever) you execute via capsh:

exec capsh --drop=cap_net_raw --print -- -c "/bin/ping -c 1 localhost"

Trying to run this with the proposed command from the docs causes the following error for me:

$ docker run --name dokuwiki -it -v /tmp/volume/:/overlay/storage --cap-add=SYS_ADMIN -p 8090:80 splitbrain/dokuwiki
mount: /var/www/html: cannot mount overlay read-only.

Only when I add --privileged it actually works. Does this mean --cap-add=SYS_ADMIN doesn't provide enough permissions to create the overlayfs?

I have the same issue running docker 20.10.3 on Debian Buster. Adding privileged works for docker run, but privileged can't be used in swarm mode.