I've come across the --privileged flag for docker exec, but the manual does not provide much of an explanation:
--privileged Give extended privileges to the command
That's all. No more explanation or example.
Searching the web for more info, I only found descriptions of containers running in privileged mode, but it appears to me that this doesn't have to do anything with the privileged mode of docker exec. I assume that these privileges apply to the executed command, and I could image that it means that it is run under a privileged user (root). But then, I wonder what the difference would be compared to docker exec -u 0?
By default container runtimes go to great lengths to shield a container from the host system. Running in --privileged mode disables/bypasses most of these checks. This basically means that if you are root in a container you have the privileges of root on the host system. Is is only meant for special cases such as running Docker in Docker (for example in pipeline for sharing docker socket from the host) and should be avoided.
Related
Can a docker container be run privileged but that of a user?
I am trying to create a TryHackMe! room. My basic idea is to let users break out of a docker container, but can only gain access to a non-privileged user. However the only way I found out to break out of a docker container is running docker with --privileged flag but that gives root privilege to the container, which is undesirable. How can I let a docker container run with the privilege of a user so that users can break out of it, but still not gain root access?
I agree with the --privileged security issue. you can avoid this and achieve your requirement by assigning the container with specific user.
docker run -it -u <user> <container>
For further reference and complex requirements:
userns-remap
rootless
According to Docker official website: https://docs.docker.com/engine/security/rootless/ it's possible to run Docker Daemon rootless-ly (without root access, no --privileged flag).
However I'm convinced this would not work when running from inside a Docker container. There is no way of getting modprobe inside a Docker container without root access (--privileged). So it's not possible to install the Docker rootless script.
Supposedly there is an official image in Docker hub: docker:dind-rootless image here So I pulled the image and SSH'd into the container, however I'm getting the following error when running dockerd
INFO[2020-07-17T20:50:32.355617100Z] Starting up dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation
Any suggestions on how to run Docker daemon rootlessly inside another Docker container? I know this is possible with root, but is there a way to do without? I can't get root access as I'm deploying to AWS fargate, which doesn't support privileged access at the container level.
It's been 2 years. There's an image for it now.
https://docs.docker.com/engine/security/rootless/#rootless-docker-in-docker
I am trying to run docker daemon inside a docker container. But I need to run docker daemon in privilege mode. Only then I can run the daemon inside container. Is there any other way to run a docker daemon without privilege mode? Because privilege mode gives access to all the resources of the outside container and the machine on which that container is running. I don't want to do that.
Create a docker group, as described here. You do need to be superuser to add yourself.
I have set up Docker for Windows (Hyperv Beta) on my Laptop.
My intention is to laborate on some setups for containers I intend to install in my real server later. I am fairly new to Docker (but know the basics) so I wanted to laborate with volumes and volume images a bit.
However all anonymous volumes end up on the virtual Linux host. I would like to access the filesystem of the host, not within a container.
I cannot access it from within a container easily due to (well founded) security constraints. Neither can I find a way to access it from the windows prompt.
(Using Docker for Windows version 1.12.0-beta21)
I know that it possible to mount volumes using the c share made by Docker for Windows, but that raises the complexity for me. My intent is to use Docker tutorials unmodified and inspect the results in the host filesystem. Preferably through a (bash) shell in the host VM or with a windows file access into the virtual machine.
Later on I would also like to copy volume contents into the vm volumes although that could be solved using a volume against the c drive.
I have after research on my own deducted the following technique to create a privileged container that works as if it was the Linux root host. This is the best I have been able to pinpoint so far.
docker run --net=host --ipc=host --uts=host --pid=host -it --security-opt=seccomp=unconfined --privileged --rm -v /:/host alpine /bin/sh
Docker-machine will allow you to ssh to the default machine by typing:
"docker-machine ssh"
You'll be logged into the VM that is running docker.
I want to setup a VPN with docker container? I find a popular image mobtitude/vpn-pptp.
This is the start options.
# docker run -d --privileged -p 1723:1723 -v {local_path_to_chap_secrets}:/etc/ppp/chap-secrets mobtitude/vpn-pptp
I am confused why add the --privileged flat.
Some quotes from Docker official references
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).
When the operator executes docker run --privileged, Docker will enable to access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with --privileged is available on the Docker Blog.