Chrome under Docker: CAP_SYS_ADMIN vs privileged?

Solution 1:

AFAICS, the documentation suggests granting the capabilities needed for a container, rather than using the --privileged switch. Running in privileged mode seems to grant the container all capabilities (exactly which those are is listed in the first URL, provided that the docs are up to date).

In short, I'd say that --cap-add=SYS_ADMIN grants a smaller subset of capabilities to the container, compared to the --privileged switch. Event the examples in the Docker documentation (first URL) seem to prefer just adding the SYS_ADMIN or NET_ADMIN capability where needed.

Solution 2:

One difference is that --privileged mounts /dev and /sys as RW, where as SYS_ADMIN mounts them as RO. This means that a privileged container has full access to devices on the system. SYS_ADMIN doesn't give you that.