Build with docker and --privileged

Alqio picture Alqio · Jan 4, 2018 · Viewed 11.8k times · Source

I'm using this guide to Build a Voice Kit with Amazon Lex and a Raspberry Pi, but I need to use Docker. The problem is that the script that the guide curls and runs requires access to /dev/tty. I can grant access to /dev/tty when running docker containers, but I don't know how to do that when building containers.

My Dockerfile looks like this:

FROM resin/rpi-raspbian

WORKDIR /app

ADD . /app

#The script requires these
RUN apt-get update
RUN apt-get install iputils-ping

#The script has to be run with sudo priviliges but not as root
USER root
ADD /sudoers.txt /etc/sudoers
RUN chmod 440 /etc/sudoers


RUN useradd -ms /bin/bash lex
RUN echo 'lex:test' | chpasswd

RUN curl https://get.pimoroni.com/phatdac | bash 

USER lex

EXPOSE 80

#Comment the last RUN command and uncomment this
#CMD curl https://get.pimoroni.com/phatdac | bash 

And when I try to build the container with

docker build -t raspi1 .

it crashes on the script, because it can't access /dev/tty.

When running a container, I can use this script to grant access to /dev/tty and /dev/snd

#!/bin/sh

 docker run -ti --rm \
     -v /dev/snd:/dev/snd \
      --privileged \
     raspi7 

and then try to use the script on the startup with CMD in the Dockerfile. But if I do that, then I need to use the script every time when running and I also need to do RUN on other stuff after the script has finished which would be nice to have on the Dockerfile when building.

TLDR; How to grant privileges to /dev/tty and /dev/snd when building a docker image?

Answer

Greg picture Greg · Jul 17, 2019

Docker currently doesn't support exposing devices, or for that matter privileged operations when building.

According to @cpuguy83 what you are doing now - building a portable image without access to the host and completing the configuration when the container is first started - is the right thing to do:

Doing this kind of stuff at first container start is exactly the right way to go. It's a runtime configuration it shouldn't be in the image.

See bountysource.

There is also and old but still open moby's issue.