Would like to know via bash script, if current running container was started in --privileged
mode from inside the container (not from the host machine).
For now I'm stuck with passing an env var with the flag but is not an ideal solution.
We have run the 'fdisk –l' command to check that the container is running under privilege mode. Notes: Any command that requires privilege flag to be successful can be used to test the privilege mode inside the container.
By default, containers do not run in a privileged mode. For a container to run as a privileged application, the user must “flag” it to enable all capabilities to the container or pod. In other words, when a container is in a privileged mode, you are giving the container all the capabilities that a host can perform.
What is Docker Privileged Mode? Docker privileged mode grants a Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives it the capabilities of its host machine. For example, it enables it to modify App Arm and SELinux configurations.
Running a pod in a privileged mode means that the pod can access the host's resources and kernel capabilities. You can turn a pod into a privileged one by setting the privileged flag to `true` (by default a container is not allowed to access any devices on the host).
Use the docker inspect command:
docker inspect --format='{{.HostConfig.Privileged}}' <container id>
And within a bash script you could have a test:
if [[ $(docker inspect --format='{{.HostConfig.Privileged}}' <container id>) == "false" ]]; then echo not privileged else echo privileged fi
You have to try to run a command that requires the --privileged
flag and see if it fails
For instance ip link add dummy0 type dummy
is a command which requires the --privileged
flag to be successful:
$ docker run --rm -it ubuntu ip link add dummy0 type dummy RTNETLINK answers: Operation not permitted
while
$ docker run --rm -it --privileged ubuntu ip link add dummy0 type dummy
runs fine.
In a bash script you could do something similar to this:
ip link add dummy0 type dummy >/dev/null if [[ $? -eq 0 ]]; then PRIVILEGED=true # clean the dummy0 link ip link delete dummy0 >/dev/null else PRIVILEGED=false fi
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With