37

Would like to know via bash script, if current running container was started in --privileged mode from inside the container (not from the host machine).

For now I'm stuck with passing an env var with the flag but is not an ideal solution.

Leo Gallucci
  • 16,355
  • 12
  • 77
  • 110

2 Answers2

69

From the docker host

Use the docker inspect command:

docker inspect --format='{{.HostConfig.Privileged}}' <container id>

And within a bash script you could have a test:

if [[ $(docker inspect --format='{{.HostConfig.Privileged}}' <container id>) == "false" ]]; then
    echo not privileged
else
    echo privileged
fi

From inside the container itself

You have to try to run a command that requires the --privileged flag and see if it fails

For instance ip link add dummy0 type dummy is a command which requires the --privileged flag to be successful:

$ docker run --rm -it ubuntu ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted

while 

$ docker run --rm -it --privileged ubuntu ip link add dummy0 type dummy

runs fine.

In a bash script you could do something similar to this: 

ip link add dummy0 type dummy >/dev/null
if [[ $? -eq 0 ]]; then
    PRIVILEGED=true
    # clean the dummy0 link
    ip link delete dummy0 >/dev/null
else
    PRIVILEGED=false
fi
Thomasleveil
  • 95,867
  • 15
  • 119
  • 113
  • I am trying to make a container privileged and also add caps with `docker_container` from Ansible, but no success, no error message but at the end the container is not running on privileged mode at all. Anyone with a fix for this? – zevarito Aug 01 '16 at 14:43
  • 1
    [docker inspect](https://docs.docker.com/engine/reference/commandline/inspect/) url has changed – Ioanna Sep 05 '18 at 09:16
-6

From inside the container, your docker commands (docker ps or docker inspect or any) will be available if your docker run command has -v /var/run/docker.sock:/var/run/docker.sock

user2915097
  • 30,758
  • 6
  • 57
  • 59
  • 1
    True but overkill IMHO. That also gives the container full access to the host machine. – Leo Gallucci Aug 22 '15 at 08:26
  • how is linking the docker socket to the container giving full access to host? There are a lot of people linking the docker executable from the host. – Romeo Mihalcea Oct 02 '16 at 11:47
  • The docker commands are not available unless you install docker inside the container or use the API in weird ways. And, true, it would be overkill. A compromised container could create havoc. – Ricardo Branco Feb 21 '17 at 23:01
  • 4
    @RomeoMihalcea Access to the Docker daemon allows you to run arbitrary commands in arbitrarily configured containers. One exploit is that, since you can mount any file or directory on the host into the container, you can modify any file on the host. Here's an example of [leveraging Docker for root access](https://github.com/0cjs/sedoc/blob/master/app/docker.md#leveraging-docker-for-root-access) on the host. (Somehow blocking this particular avenue still leaves many other exploits open.) – cjs Feb 16 '18 at 08:06
  • Bad security practice indeed, should be avoided unless absolutely necessary, and isolated if possible (dedicated node in k8s for example, with dedicated PSP/useraccount). @cjs +1 – tisc0 Apr 16 '20 at 22:28