centersl/portainer-docs
1
0
Fork 0
mirror of https://github.com/portainer/portainer-docs.git synced 2026-03-27 04:48:31 +07:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-21: BE-12696 Add support for docker run --security-opt

Browse Source
This commit is contained in:
Hannah Cooper
2026-03-19 02:04:24 +00:00
committed by gitbook-bot
parent 197e588ab2
commit 6c6e6ff6e0
3 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/2.40.0-docker-security-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

17
user/docker/containers/advanced.md
View File

@@ -106,14 +106,15 @@ This section lets you configure runtime options for your container, add or confi
Here you can configure runtime options for the container.
| Field/Option | Overview |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Privileged mode | Enable this option to run the container in [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). |
| Init | Enable this option to tell Docker that an init process should be used as PID 1 in the container. |
| Type | Select the runtime type to use to start the container. Options will depend on available runtimes on your Docker host. |
| Devices | Use this option to make devices on your Docker host available within the container. Click **add device** to add a new device, and define the **host** path for the device and the **container** path for where you want the device to appear within the container. |
| Sysctls | Use this option to specify sysctls to make available within the container. Click **add sysctl** to add a new sysctl, and set the **name** and **value** for your sysctl as required. |
| Shared memory size | Specify the size (in MB) of the shared memory device (`/dev/shm`) for the container. |
| Field/Option | Overview |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Privileged mode | Enable this option to run the container in [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). |
| Init | Enable this option to tell Docker that an init process should be used as PID 1 in the container. |
| Type | Select the runtime type to use to start the container. Options will depend on available runtimes on your Docker host. |
| Devices | Use this option to make devices on your Docker host available within the container. Click **add device** to add a new device, and define the **host** path for the device and the **container** path for where you want the device to appear within the container. |
| Sysctls | <p>Use this option to specify sysctls to make available within the container. Click <strong>add sysctl</strong> to add a new sysctl, and set the <strong>name</strong> and <strong>value</strong> for your sysctl as required.<br>This option can not be accessed by non-admin users by default, this can be changed in the <a href="../host/setup.md#docker-security-settings">Docker security settings</a>.</p> |
| SecurityOpt | Use this option to state a [security option](https://docs.docker.com/reference/cli/docker/container/run/#security-opt) for your containers and stacks. Click **add security-opt** to add a new security option. This option can not be accessed by non-admin users by default, this can be changed in the [Docker security settings](../host/setup.md#docker-security-settings). |
| Shared memory size | Specify the size (in MB) of the shared memory device (`/dev/shm`) for the container. |
<figure><img src="../../../.gitbook/assets/2.20-containers-advanced-runtime.png" alt=""><figcaption></figcaption></figure>

9
user/docker/host/setup.md
View File

@@ -58,8 +58,6 @@ If this setting is enabled and an update is made to an application outside of th
This section allows you to toggle assorted Docker-related security settings for the environment.&#x20;
<figure><img src="../../../.gitbook/assets/2.38-docker-security.png" alt=""><figcaption></figcaption></figure>
| Option | Overview |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Hide bind mounts for non-administrators | <p>Prevents non-admin users within Portainer from using bind mounts when creating containers and/or services/stacks. When toggled on, the option to attach to a host file system path is removed for non-admin users.<br>This is applied by default.</p> |
@@ -69,15 +67,18 @@ This section allows you to toggle assorted Docker-related security settings for
| Hide device mappings for non-administrators | <p>Blocks users from mapping host devices into containers. Whilst the ability to map devices is generally used for good (e.g. mapping a GPU into a container), it can equally be used by non-trustworthy authorized users to map a physical storage device into a container. It is possible to mount <code>/dev/sda1</code> into a container, and then from a console of that container, the user would have complete access to the sda1 device without restriction. By toggling this on, Portainer blocks the ability for non-admin users to map ANY devices into containers.<br>This is applied by default.</p> |
| Hide container capabilities for non-administrators | <p>Toggle on to hide the <strong>Container capabilities</strong> tab for non-admin users when they are <a href="../containers/add.md">adding a container</a>.<br>This is applied by default.</p> |
| Hide sysctl settings for non-administrators | <p>Toggle on to stop non-admin users from using sysctl options, preventing them from recreating, duplicating or editing containers.<br>This is applied by default.</p> |
| Hide security-opt for non-administrators | <p>Toggle on to stop non-admin users from supplying security-opt options to containers and stacks.<br>This is applied by default.</p> |
<figure><img src="../../../.gitbook/assets/2.40.0-docker-security-settings.png" alt=""><figcaption></figcaption></figure>
## Other
This section contains other assorted environment-specific settings.
<figure><img src="../../../.gitbook/assets/2.18-host-setup-other.png" alt=""><figcaption></figcaption></figure>
| Option | Overview |
| ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Show GPU in the UI | Toggle on to enable GPU assignments in the Portainer UI. This adds additional processing to the container and stack listing pages, so if you are not using GPUs on your environment we recommend toggling this off. |
| Add GPU | <p>When <strong>Show GPU in the UI</strong> is toggled on, click Add GPU to add GPUs to your environment for use by your containers.<br>To add a GPU, provide a name for the GPU and an index or UUID to reference the GPU.</p> |
| Show an image(s) up to date indicator for Stacks, Services and Containers | <p>Toggle on to enable the <a href="../containers/">new image indicator</a> feature for this environment. Toggle off to disable the feature.<br><br>This feature is only available in Portainer Business Edition.</p> |
<figure><img src="../../../.gitbook/assets/2.18-host-setup-other.png" alt=""><figcaption></figcaption></figure>