I am trying to clear my filesystem cache from inside a docker container, like so:
docker run --rm ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"
If I run this command I get
sh: 1: cannot create /proc/sys/vm/drop_caches: Read-only file system
which is expected, as I cannot write to /proc
from inside the container.
Now when I call
docker run --rm --privileged ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"
it works, which also makes sense to me, as the --privileged
container can do (almost) anything on the host.
My question is: how do I find out, which Linux capability I need to set in the command
docker run --rm --cap-add=??? ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches"
in order to make this work without having to set --privileged
?
Best Answer
The
proc
filesystem doesn't support capabilities, ACL, or even changing basic permissions withchmod
. Unix permissions determine whether the calling process gets access. Thus only root can write that file. With user namespaces, that's the global root (the one in the original namespace); root in a container doesn't get to change sysctl settings.As far as I know, the only solution to change a sysctl setting from inside a non-privileged namespace is to arrange a communication channel with the outside (e.g. a socket or pipe), and have the listening process run as root outside the container.