问题
Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started?
I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now.
I'm looking for an option, if it is possible to give this capability somehow to this container.
回答1:
VanagaS
1.Stop Container:
docker stop yourcontainer;
2.Get container id:
docker inspect yourcontainer;
3.Modify hostconfig.json(default docker path:/var/lib/docker, you can change yours)
vim /var/lib/docker/containers/containerid/hostconfig.json
4.Search "CapAdd", and modify null to ["NET_ADMIN"];
....,"VolumesFrom":null,"CapAdd":["NET_ADMIN"],"CapDrop":null,....
5.Restart docker in host machine;
service docker restart;
6.Start yourconatiner;
docker start yourcontainer;
it work for me, enjoy it.
回答2:
No, you cannot modify the capabilities of a running container. These can only be defined when you first create or run (which is just a create+start) the container. You'll need to create a new container with the desired capabilities.
I should point out that you can assign additional network interfaces to a running container with docker network connect, but I'm not aware of any loopback drivers you could use to solve your issue using this technique.
回答3:
you can run commands inside a running container using docker exec -it {container_id} /bin/bash.
It will create a bash for you that you can run commands with. but generally it's not a good practice to have modifications on image states since it removes the portability of images.
来源:https://stackoverflow.com/questions/38758627/how-can-we-add-capabilities-to-a-running-docker-container