On Thu, Jul 31, 2014 at 10:38:59PM +0200, Stef Walter wrote:
I've heard this concept slung around, but never saw it in real
life.
What does a Docker privileged container look like and how does it work?
Any documentation? A trivial google search doesn't seem to turn up
anything definitive.
"Normal" containers run with a munged network (i.e. 172.* address), dropped
kernel capabilities, and under a limited SELinux security context (i.e.
system_u:system_r:svirt_lxc_net_t:s0:c712,c869). Docker containers started with the
"--privileged" option still run with a munged network but have fewer (maybe even
no, I'd have to check the source) kernel capabilties dropped and run under a more
lenient SELinux. The more lenient context is something like:
system_u:system_r:docker_t:s0. I can't remember exactly off the top of my head.
To give a concrete example: normal containers probably can't access the /dev/
pseudo-filesystem the way Cockpit (I assume) needs to. I would expect that a
"--privileged" container could.
_Trevor
--
Sent from my Amiga 500.
(Trevor Jay) Red Hat Product Security
gpg-key:
https://ssl.montrose.is/chat/gpg-key