Getting privileged access inside a container
Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities (run man capabilities on a Linux-based system), which can be independently enabled and disabled. For example, the net_bind_service capability allows nonuser processes to bind the port below 1,024. By default, Docker starts containers with limited capabilities. With privileged access inside the container, we give more capabilities to perform operations normally done by root. For example, let's try to create a loopback device while mounting a disk image.Syntax : docker run --privileged [ OPTIONS ] IMAGE[:TAG] [COMMAND] [ARG...]
root@Docker:~# docker run --privileged -i -t centos /bin/bash
[root@89f516205250 /]#
[root@89f516205250 /]# dd if=/dev/zero of=disk.img bs=1M count=10 &> /dev/null
[root@89f516205250 /]# mkfs -t minix disk.img &> /dev/null
[root@89f516205250 /]# mount disk.img /mnt/
[root@89f516205250 /]# mount | grep -i disk
/var/lib/docker/aufs/diff/72bebd0aff7bf4dbbd74495a41884d3113f2dedbfcffa3c82256abced73b0b21/disk.img on /mnt type minix (rw,relatime)
[root@89f516205250 /]# df -hP | grep -i /mnt
/dev/loop0 9.9M 1.0K 9.9M 1% /mnt
[root@89f516205250 /]# cd /mnt/
[root@89f516205250 mnt]# echo "This is docker test" > test
[root@89f516205250 mnt]# cat test
This is docker test
This mode causes security risks as containers can get root-level access on the Docker host. With Docker 1.2 or new, two new flags --cap-add and --cap-del have been added to give fine-grained control inside a container. For example, to prevent any chown inside the container, use the following command:
docker run --cap-drop=CHOWN [ OPTIONS ] IMAGE[:TAG] [COMMAND] [ARG...]
root@Docker:~# docker run --cap-drop=CHOWN -i -t centos /bin/bash
[root@5c536ea0d181 /]# chown root:adm mnt
chown: changing ownership of 'mnt': Operation not permitted
For help with the docker run use --help
No comments:
Post a Comment