Docker Privileged - Should You Run Privileged Docker Containers?

September 10, 2020

Introduction

Docker privileged is one of many useful features of this powerful virtualization platform. Before you start working in privileged mode, make sure you understand how it works.

In this tutorial, you will learn what privileged Docker containers are, when to use them, and whether it is a good option for you.

Running Docker privileged containers

What is Docker Privileged Mode?

Docker privileged mode grants a Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives it the capabilities of its host machine. For example, it enables it to modify App Arm and SELinux configurations.

With the host’s kernel features and device access, you can even install a new instance of the Docker platform within the privileged container. Essentially, this mode allows running Docker inside Docker.

What is Docker privileged mode

Note: Learn more about Docker containers and how they differ from Docker images in Docker Image Vs Container: The Major Differences.

How to Check if a Container is Privileged?

To check whether you are running a container in privileged mode, use the command:

docker inspect --format='{{.HostConfig.Privileged}}' [container_id]

If the container is privileged, the output responds with true, as in the image below.

Output showing a container is in privileged mode.

On the other hand, if the container is not privileged, the output displays the message false.

Output showing a container is not privileged.

How to Run Docker Privileged Mode?

Instruct Docker to run a container in privileged mode by adding the --privileged option to the run command:

sudo docker run --privileged [image_name]

Docker Privileged Example

To run an Ubuntu container (interactively) in privileged mode, you would use:

sudo docker run -it --privileged ubuntu

To test whether the container has access to the host, you can try to create a temporary file system (tmpfs) and mount it to /mnt:

mount -t tmpfs none /mnt

Now, list the disk space statistics (in human readable format) with the command:

df -h

The newly created file system should appear on the list, as in the image below.

Mount a temporary file system to the host from a container to test of container privilege.

Why Running Privileged Containers is Not Secure?

Just like Ubuntu discourages using the system as root, so does Docker. Exposing the kernel and the hardware resources of the host to any outside cyberattack is always a potential threat to the system.

For this reason, it is not recommended to use privileged containers in a production environment.

Possible Breaches Via Privileged Containers

Having privileged containers is a security risk for any organization. It creates opportunities for malicious users to take control of the system.

Allowing a container root access to everything on the system opens a window of opportunity for cyberattacks. A cyberattacker could connect to the host from the container and endanger the established infrastructure and configuration.

The most common scenario is when a legitimate user abuses the given privilege for malicious activity.

How to Minimize Docker Container Privilege Escalation?

The best way to prevent Docker container privilege escalation is not using privileged containers at all.

However, if you are running an application that requires executing with the root user, there is a way to minimize the chances of malicious activity. This is done by user namespace remapping, re-mapping the user for that specific container to a less-privileged user on the Docker host. Essentially, the container views the user as the root, while the host does not.

Re-mapping includes assigning a range of UIDs that function within the container (namespace) as normal UIDs from 0 to 65536 yet have no privileges on the host. Two files manage the user configuration – one for the user ID range (/etc/subuid) and the other for the group ID range (/etc/subgid).

By default, docker uses the dockremap user and group to make the remapping.

Note: For more details on working with Docker containers, refer to best practices for managing Docker containers.

Conclusion

After reading this article, you should know that running privileged Docker containers is not the safest option. However, if you cannot avoid doing so, make sure you protect the host to prevent potential breaches.

Was this article helpful?
YesNo
Sofija Simic
Sofija Simic is an experienced Technical Writer. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.
Next you should read
How to Update Docker Image and Container to the Latest Version
August 13, 2020

To avoid running containers with outdated Docker images, update the image and run the container with the...
Read more
Docker Volumes: How to Create & Get Started
July 27, 2020

Persist data in Docker containers by mounting Docker volumes to containers. You can use an existing host...
Read more
How to Deploy and Run Redis in Docker
July 23, 2020

The tutorial shows you how to deploy Redis using the Docker run command. Also, learn how to deploy Redis on...
Read more
How to Set Docker Memory and CPU Usage Limit
June 29, 2020

Docker containers have unlimited access to RAM and CPU memory of the host. This is not the recommended...
Read more