With new security restrictions, developers are running their code in a more secured area. They are running their code in containers with less privileges, non root and secure images. But there are times where we need to provide additional privileges to things running inside.
Docker provides us with a privileged mode which grants a docker container root capabilities to all devices on the host machine. Running a container in a privileged mode gives all the capabilities of the host machine. This gives access to Host kernel and device access even.
Lets create a container with the privileged mode as below,
[root]# docker run -it --privileged ubuntu
We can check the privileged mode as below,
[root]# docker inspect --format='{{.HostConfig.Privileged}}' d2973c618caf
true
Now from inside the container we can perform multiple root level operations like mounting a new file system as below,
[root]# mount -t tmpfs none /mnt
[root]# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 20G 4.3G 16G 22% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/xvda1 20G 4.3G 16G 22% /etc/hosts
none 3.9G 0 3.9G 0% /mnt
Allowing a Container root access makes a system open to attacks. A malicious code running inside the privileged container can gain access completely to the host machine and cause serious damage to not just the system but the whole Infrastructure. Hope this helps in understanding Privileged Mode in Containers
No comments :
Post a Comment