github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/man/src/container/create-example.md

github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/man/src/container/create-example.md (about)

1 ### Specify isolation technology for container (--isolation)
2
3 This option is useful in situations where you are running Docker containers on
4 Windows. The `--isolation=<value>` option sets a container's isolation
5 technology. On Linux, the only supported is the `default` option which uses
6 Linux namespaces. On Microsoft Windows, you can specify these values:
7
8 * `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value.
9 * `process`: Namespace isolation only.
10 * `hyperv`: Hyper-V hypervisor partition-based isolation.
11
12 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
13
14 ### Dealing with dynamically created devices (--device-cgroup-rule)
15
16 Devices available to a container are assigned at creation time. The
17 assigned devices will both be added to the cgroup.allow file and
18 created into the container once it is run. This poses a problem when
19 a new device needs to be added to running container.
20
21 One of the solution is to add a more permissive rule to a container
22 allowing it access to a wider range of devices. For example, supposing
23 our container needs access to a character device with major `42` and
24 any number of minor number (added as new devices appear), the
25 following rule would be added:
26
27 ```
28 docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image
29 ```
30
31 Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
32 the required device when it is added.
33
34 NOTE: initially present devices still need to be explicitly added to
35 the create/run command