EDUCBA

Home Software Development Software Development Tutorials Docker Tutorial Docker Privileged

Docker Privileged

Sarabjeet Singh
Article bySarabjeet Singh
Priya Pedamkar
Reviewed byPriya Pedamkar

Updated June 30, 2023

Docker Privileged

Introduction to Docker Privileged

The Docker privileged option is a feature available in the docker run command. It enables Docker containers to access all devices located under the /dev directory on the host machine. By default, Docker containers are restricted from accessing host devices for security reasons.A container gains all capabilities and can access all host’s devices, for example, CD-ROM, flash drives, hard drives attached to the host, and even access to webcams while running in privileged mode; however, we can limit the access using other different options available in the ‘docker run’ command. This feature is added in Docker 0.6

ADVERTISEMENT
Popular Course in this category
DOCKER Course Bundle - 7 Courses in 1

Start Your Free Software Development Course

Web development, programming languages, Software testing & others

Syntax:

docker run --privileged [OPTIONS] <docker_image>

[OPTIONS]

–cap-add: We can add additional capabilities to the container using this option

–cap-drop: We can limit additional capabilities to the container

Note: We have other OPTIONS available in the ‘docker run’ command, but we can use these options in addition to the ‘–privileged’ option.

Docker Privileged 1

In the above snapshot, we are just checking whether the privileged option is working fine or now; this is not a real scenario where we need to run the container in privileged mode.

How Privileged Function Works in Docker?

As we know, the privileged mode allows access to all devices connected to the host, similar to the host using those devices or resources. It allows access to all connected devices and makes some configuration changes in AppArmor or SELinux that allow the container to have almost the same access to the host as a process running outside containers on the host.

Examples

Let’s understand the working process of the privileged mode with the below examples:

Scenario 1:

Let’s run a non-privileged container and a privileged container and try to mount a disk inside the container to store the data. So, let’s assume we have two disks attached to our host, and we want to mount the second disk to the container to store the data produced by the application running inside a container.

1. Non-Privileged Container

Step 1 – Run a container without the privileged option using the command shown below: –

docker run -it --rm <Docker_Image> sh
docker run -it --rm ubuntu sh

In the above snapshot, we can see that a container has been started using the ‘ubuntu’ Docker image and connected to the container. We have also used the ‘–rm’ option to remove the container once we exit. Good for testing purposes.

 Docker Privileged 2

Step 2 – Now, try to list the available disks using the ‘fdisk’ utility as shown below: –

fdisk -l

Docker Privileged 3

In the above snapshot, we can see that it is not showing any disks because the container is not running in the privileged mode, so it is not displaying the attached disk. Let’s run a new container in privileged mode. 

2. Privileged Container

Step 1 – Run the below command to start a container in privileged mode; you just have to use one extra flag, which is the ‘–privilege’ option, as shown below: –

docker run -it --rm --privileged <Docker_Image> sh
docker run -it --rm --privileged ubuntu sh

Privileged Container

 Step2 – Let’s run the ‘fdisk’ command to list available disks as shown below: –

fdisk –l

Docker Privileged 4

disk model

In the above snapshot, we can see that it has listed all available disk information now and its partitions. Here, we are going to concentrate on ‘/dev/sdb’; the partition has been already for this disk, and the partition name is ‘/dev/sdb1’. This operation can be performed inside the container while it is running in privileged mode.

Step 3: Now, create a folder to mount this partition over there:

mkdir /mnt/my-data

Step3

Step 4: Let’s go ahead and mount this partition to the container and write some data into it as shown below: –

mount /dev/sdb1 /mnt/my-data

mount

Step 5: Change the directory to ‘/mnt/my-data’ and create a test file named ‘test.txt’ and also populate some data into it as shown below: –

cd /mnt/my-data
cat >> test.txt

It is a test file.

^Z(press ctrl + Z)
cat test.txt

cd

In the above snapshot, we have created a test file and added some text to it; now, we are going to exit from this container and mount the same disk partition to the host and try to access that file.

Step 6: Exit from the container and run the below command to mount the disk partition ‘/dev/sdb1’ to the host:

sudo mount /dev/sdb1 /mnt/disk2
cd /mnt/disk2
ls
cat test.txt

sudo mount

In the above snapshot, we have mounted the disk partition to an existing folder that is ‘/mnt/disk2’; you can mount it at any folder location you want, and sure enough, we are able to access the file created inside the container.

Scenario 2:

Use the ‘–cap-add’ and ‘–cap-drop’ options to add and limit the capabilities of the container, respectively.

Step 1: To provide all capabilities to a Docker container, including the default list of capabilities, and then drop a specific capability, you can use the –cap-add and –cap-drop options in combination.

docker run -it --rm --privileged --cap-add=ALL --cap-drop=MKNOD ubuntu sh

docker run

In the above snapshot, we have added all capabilities except the ‘MKNOD,’ which will prevent creating special files using mknode. We have run the ‘fdisk –l’ command to check that the container is running under privilege mode.

Notes:

  • Any command that requires a privilege flag to be successful can be used to test the privilege mode inside the container.
  • We can inspect the container to know if that container is running in privileged mode or not using the below command:

docker inspect --format='{{.HostConfig.Privileged}}' <container id>

docker run

Advantages

  • It provides similar access to the host to the container running in privileged mode.
  • It also allows you to run Docker in Docker with this mode.
  • We can provide Docker-as-a-Service if someone wants their own private Docker instance.

Conclusion

Docker-privileged mode is great in a few scenarios. However, we should be aware of its risks as we can do anything from inside the container, even if it can destroy the partition on which the host machine is running. It is recommended to limit access using other available flags.

Recommended Articles

This is a guide to Docker Privileged. Here we discuss the introduction, advantages, examples, and How Privileged Function Work in Docker. You may also have a look at the following articles to learn more –

  1. Docker Import
  2. Docker run Command
  3. Docker Hosts
  4. Docker Stop Container
ADVERTISEMENT
WINDOWS POWERSHELL Course Bundle - 7 Courses in 1
19+ Hours of HD Videos
7 Courses
Verifiable Certificate of Completion
Lifetime Access
4.5
ADVERTISEMENT
SALESFORCE Course Bundle - 4 Courses in 1
24+ Hours of HD Videos
4 Courses
Verifiable Certificate of Completion
Lifetime Access
4.5
ADVERTISEMENT
MINITAB Course Bundle - 9 Courses in 1 | 2 Mock Tests
35+ Hour of HD Videos
9 Courses
2 Mock Tests & Quizzes
Verifiable Certificate of Completion
Lifetime Access
4.5
ADVERTISEMENT
SAS PROGRAMMING Course Bundle - 18 Courses in 1 | 8 Mock Tests
123+ Hours of HD Videos
18 Courses
8 Mock Tests & Quizzes
Verifiable Certificate of Completion
Lifetime Access
4.5
quiz