为什么mount命令是一个码头工人容器

Question

如何避免在这个泊坞窗会话结束时以下错误消息中禁用：

$ docker run -it ubuntu /bin/bash 
root@b3bcdc4551f5:/# ls 
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var 
root@b3bcdc4551f5:/# cd home/ 
root@b3bcdc4551f5:/home# ls 
root@b3bcdc4551f5:/home# mkdir 1 
root@b3bcdc4551f5:/home# mkdir 2 
root@b3bcdc4551f5:/home# mount --bind 1 2 
mount: block device /home/1 is write-protected, mounting read-only 
mount: cannot mount block device /home/1 read-only 

更新：

$ docker run --cap-add=SYS_ADMIN -it ubuntu /bin/bash 
root@1a6c069a8589:/# cd home/ 
root@1a6c069a8589:/home# mkdir 1 
root@1a6c069a8589:/home# mkdir 2 
root@1a6c069a8589:/home# mount --bind 1 2 
mount: block device /home/1 is write-protected, mounting read-only 
mount: cannot mount block device /home/1 read-only 
root@1a6c069a8589:/home# exit 
$ docker run --cap-add=ALL -it ubuntu /bin/bash 
root@1e04bcd81fee:/# cd home/ 
root@1e04bcd81fee:/home# mkdir 1 
root@1e04bcd81fee:/home# mkdir 2 
root@1e04bcd81fee:/home# mount --bind 1 2 
mount: block device /home/1 is write-protected, mounting read-only 
mount: cannot mount block device /home/1 read-only 
root@1e04bcd81fee:/home# exit 

--privileged是所有虽然。

Answer 1

自答案:)使用 '--security-opt apparmor:unconfine d'
禁用的AppArmor会工作。

编号：issue 16429

Answer 2

尝试按照推荐的issue 9950：

你不能调用安装，除非你有CAP_SYS_ADMIN，这是不提供默认容器配置。
你需要docker run --cap-add SYS_ADMIN