[Container](EN) Run privileged mode container in Docker or Kubernetes Pod

Run privileged mode container in Docker or Kubernetes Pod

Environment and Prerequisite

• Linux base system
• Bash shell(/bin/bash)
• Docker
• Kubernetes

Run Privileged Mode

What is Privileged Mode?

--cap-add: Add Linux capabilities
--cap-drop: Drop Linux capabilities
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.

• By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices.
• By using docker run --privileged, container can not only access to all hosts devices but also use most of host computer’s kernel functions. You can use like systemctl program or run docker daemon in docker container.
• You can add or drop needed linux kernel(host) capabilities by using --cap-add and --cap-drop options. There are many option values in docker official page.

Docker Container Privileged Mode Usage

• Give --privileged option when running container.

sudo docker run --privileged [IMAGE NAME] [OTHER OPTIONS...]

Docker Container Privileged Mode Example

• Download CentOS image and use systemctl command
• /sbin/init should be run before using systemctl

# Run docker container in privileged mode
# Run "/sbin/init" command in background
$ sudo docker run -d --privileged --name centos-example centos /sbin/init

# Access to docker container
$ sudo docker exec -it centos-example /bin/bash

# Run systemctl command
$ systemctl -a
...

Kubernetes Pod Container Privileged Mode Usage

• Add securityContext with privileged: true option to Pod YAML file.
• Examples are from openstack-helm and official page.

...
containers:
  - name: pod-name
    image: image-name
    securityContext:
      privileged: true
...

Kubernetes Pod Container Privileged Mode Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true

Reference

• https://docs.docker.com/engine/reference/run/
• http://whyitworld.blogspot.com/2016/02/docker-centos7-systemd.html
• https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged