I’m looking to run a game streaming platform in a container. Notably, it needs to run Docker containers, access to a graphics card and the ability to create input devices. An unprivileged container gets me most of the way there, with the notable exception of mknod access. I understand mknod is fundamentally incompatible with unprivileged containers, so I’m considering the viability of running it privileged. My question, then, is is there anything I can do in order to restrict a privileged container at all?
You can try your hands at writing custom AppArmor and Seccomp policies to try to make a privileged container as locked down as possible, but it’s still going to be pretty risky business.
You mention needing mknod, what needs that, Docker for image unpacking?
You may have a better experience using unprivileged Incus containers as with those we have support for some system call interception and emulation which allows for things like the whiteout mknod from Docker even inside an unprivileged container.
Incus is also able to directly run OCI images so you may not need to run Docker nested to begin with.
Thank you. The platform is distributed as a Docker container that needs to create input devices (virtual joysticks), but it also creates additional containers using the Docker API, and is not adapted for other container platforms.
I found the intercept capabilities of Incus while researching all of this, and I don’t fully understand it, but I think it doesn’t help me in this case?