Introduction
Docker privileged is one of the many useful features of this powerful virtualization platform. Before you start working in privileged mode, make sure you understand how it works.
In this tutorial, you’ll learn what privileged Docker containers are, when to use them, and whether it’s a good fit for you.
What is Docker privileged mode?
Docker privileged mode grants Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives you the capabilities of your host machine. For example, it allows you to modify App Arm and SELinux configurations.
With host kernel features and device access, you can even install a new instance of the Docker platform inside the privileged container. Essentially, this mode allows you to run Docker within Docker.
How to check if a container is privileged?
To check if you are running a container in privileged mode, use the command:
docker inspect -format='{{. HostConfig.Privileged}}’ [container_id] If the container
has privileges, the output responds with true, as in the following image
.
On the other hand, if the container is not privileged, the output displays the message false.
How to run
Docker privileged mode? Instruct Docker to run a container in privileged mode by adding the -privileged option to the run command: sudo docker run -privileged [image_name]
Docker Privileged example
To run an Ubuntu container (
interactively
) in privileged mode, you would use: sudo docker run -it
-privileged
ubuntu
To check if the container has access to the host, you can try to create a temporary file system (tmpfs) and mount it in /mnt: mount -t tmpfs none /mnt
Now, list the
disk space statistics (in human-readable format) with the command: df –
h The
newly created file system should appear in the list, as in the image below
.
Why is running privileged containers not secure?
Just as Ubuntu discourages the use of the system as root, so does Docker. Exposing the kernel and host hardware resources to any external cyberattack is always a potential threat to the system.
For this reason, we do not recommend using privileged containers in a production environment.
Potential breaches through
privileged containers
Having privileged containers is a security risk for any organization. It creates opportunities for malicious users to take control of the system.
Allowing a root container to access everything on the system opens a window of opportunity for cyberattacks. A cyber attacker could connect to the host from the container and compromise the established infrastructure and configuration.
The most common scenario is when a legitimate user abuses the given privilege for malicious activities.
How to minimize Docker container privilege escalation?
The best way to avoid Docker container privilege escalation is to not use privileged containers at all.
However, if you are running an application that requires running with the root user, there is a way to minimize the chances of malicious activity. This is done by reassigning the user namespace, reassigning the user for that specific container to a user with less privileges on the Docker host. Essentially, the container sees the user as the root, while the host does not.
Remapping includes assigning a range of UIDs that function within the container (namespace) as regular UIDs from 0 to 65536 but do not have privileges on the host. Two files manage user settings: one for the user ID range (/etc/subuid) and the other for the group ID range (/etc/subgid).
By default, docker uses the user and dockremap group to perform the remapping.
Conclusion
After reading this article, you should know that running privileged Docker containers is not the safest option. However, if you can’t avoid doing so, be sure to protect the host to prevent potential breaches.