Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to know if a docker container is running in privileged mode

Tags:

bash

shell

docker

dockerfile

containers

Would like to know via bash script, if current running container was started in --privileged mode from inside the container (not from the host machine).

For now I'm stuck with passing an env var with the flag but is not an ideal solution.

like image 355
Leo Gallucci Avatar asked Aug 21 '15 15:08

Leo Gallucci

People also ask

How do I know if a container is privileged?

We have run the 'fdisk –l' command to check that the container is running under privilege mode. Notes: Any command that requires privilege flag to be successful can be used to test the privilege mode inside the container.

How do I run a Docker container in privileged mode?

By default, containers do not run in a privileged mode. For a container to run as a privileged application, the user must “flag” it to enable all capabilities to the container or pod. In other words, when a container is in a privileged mode, you are giving the container all the capabilities that a host can perform.

What is a privileged Docker container?

What is Docker Privileged Mode? Docker privileged mode grants a Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives it the capabilities of its host machine. For example, it enables it to modify App Arm and SELinux configurations.

How do I run pods in privileged mode?

Running a pod in a privileged mode means that the pod can access the host's resources and kernel capabilities. You can turn a pod into a privileged one by setting the privileged flag to `true` (by default a container is not allowed to access any devices on the host).

1 Answers

From the docker host

Use the docker inspect command:

docker inspect --format='{{.HostConfig.Privileged}}' <container id>

And within a bash script you could have a test:

if [[ $(docker inspect --format='{{.HostConfig.Privileged}}' <container id>) == "false" ]]; then     echo not privileged else     echo privileged fi

From inside the container itself

You have to try to run a command that requires the --privileged flag and see if it fails

For instance ip link add dummy0 type dummy is a command which requires the --privileged flag to be successful:

$ docker run --rm -it ubuntu ip link add dummy0 type dummy RTNETLINK answers: Operation not permitted

while 

$ docker run --rm -it --privileged ubuntu ip link add dummy0 type dummy

runs fine.

In a bash script you could do something similar to this: 

ip link add dummy0 type dummy >/dev/null if [[ $? -eq 0 ]]; then     PRIVILEGED=true     # clean the dummy0 link     ip link delete dummy0 >/dev/null else     PRIVILEGED=false fi
like image 51
Thomasleveil Avatar answered Oct 21 '22 15:10

Thomasleveil
Sign in to Comment

Related questions

bash: defining a file-local variable invisible to sourcing script
bash functions: enclosing the body in braces vs. parentheses
bash: What is a jobspec
Kill a process and wait for the process to exit
How can I close a netcat connection after a certain character is returned in the response?
How to scroll back the terminal to where the last command was given?
Loop over set of strings containing spaces
Redirect standard input dynamically in a bash script
Checking file owner permissions
Using variable interpolation in string in Docker
How to make a shell executable node file using TypeScript
bash: $[<arithmetic-expression>] vs. $((<arithmetic-expression>))
How to use the .* wildcard in bash but exclude the parent directory (..)?
Regular Expression in Bash Script
What happened to the TMP environment variable?
replace a unknown string between two known strings with sed
Shell script working fine without shebang line? Why? [duplicate]
Running R Scripts with Plots
ignore bash backtick execution without escaping the ` character in git commit
How can I find out, whether a specific package is already installed in Arch Linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!