![]() The read-only mounts prevent privileged processes and processes with capabilities in the user namespace to write to the kernel file systems. By default, we don't want container processes to modify the kernel, so we mount kernel file systems as read-only within the container. They also provide information to processes on the system. Kernel file systems provide a mechanism for a process to alter the way the kernel runs. To understand the -privileged flag, you need to understand the security enabled by container engines, and what is disabled. Tools like Podman and Buildah do NOT give any additional access beyond the processes launched by the user. The -privileged flag does not add any privilege over what the processes launching the containers have. The bottom line is that using the -privileged flag does not tell the container engines to add additional security constraints. ![]() The kernel does not allow non-root users to bind to these ports, so users launching container processes are not allowed access either. ![]() So, for example, running -privileged does not suddenly allow the container process to bind to a port less than 1024. Your processes still run as the user process that launched them on the host. Containers are blocked from additional access by Linux anyway. Note: Running container engines in rootless mode does not mean to run with more privilege than the user executing the command. What privileges does it give to the container processes?Įxecuting container engines with the -privileged flag tells the engine to launch the container process without any further "security" lockdown. What does the -privileged flag cause container engines to do? In this blog, I discuss what the -privileged flag does with container engines such as Podman, Docker, and Buildah. Users often equate this flag to unconfined or full root access to the host system. ![]() Many users get confused about the -privileged flag. Free course: Deploying containerized applications. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |