Reputation: 16722
How to know if a docker container is running in privileged mode
Would like to know via bash script, if current running container was started in --privileged mode from inside the container (not from the host machine).
For now I'm stuck with passing an env var with the flag but is not an ideal solution.
Upvotes: 40
Views: 32869
Answers (3)
Reputation: 732
This is the solution I came up with:
#!/bin/sh
#
# is_privileged.sh
set -eu
# Get the capability bounding set
cap_bnd=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
# Convert to decimal
cap_bnd=$(printf "%d" "0x${cap_bnd}")
# Get the last capability number
last_cap=$(cat /proc/sys/kernel/cap_last_cap)
# Calculate the maximum capability value
max_cap=$(((1 << (last_cap + 1)) - 1))
if [ "${cap_bnd}" -eq "${max_cap}" ]; then
echo "Container is running in privileged mode." >&2
exit 0
else
echo "Container is not running in privileged mode." >&2
exit 1
fi
Example:
$ cat is_privileged.sh | docker run --rm -i alpine sh
Container is not running in privileged mode.
$ cat is_privileged.sh | docker run --rm -i --privileged alpine sh
Container is running in privileged mode.
I believe it is better option as it doesn't actually create any ip link.
I've also made it available in my docker-scripts project.
Upvotes: 1
Reputation: 104125
From the docker host
Use the docker inspect command:
docker inspect --format='{{.HostConfig.Privileged}}' <container id>
And within a bash script you could have a test:
if [[ $(docker inspect --format='{{.HostConfig.Privileged}}' <container id>) == "false" ]]; then
echo not privileged
else
echo privileged
fi
From inside the container itself
You have to try to run a command that requires the --privileged flag and see if it fails
For instance ip link add dummy0 type dummy is a command which requires the --privileged flag to be successful:
$ docker run --rm -it ubuntu ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted
while
$ docker run --rm -it --privileged ubuntu ip link add dummy0 type dummy
runs fine.
In a bash script you could do something similar to this:
ip link add dummy0 type dummy >/dev/null
if [[ $? -eq 0 ]]; then
PRIVILEGED=true
# clean the dummy0 link
ip link delete dummy0 >/dev/null
else
PRIVILEGED=false
fi
Upvotes: 72
Reputation: 32196
From inside the container, your docker commands (docker ps or docker inspect or any) will be available if your docker run command has -v /var/run/docker.sock:/var/run/docker.sock
Upvotes: -6
Related Questions
- Docker start privileged?
- How to check if a process is running inside docker container?
- How to check if the docker engine and a docker container are running?
- how to identify if any applications inside docker container as running as root
- How do I identify if a runc container is running as privileged?
- how can a docker container check if it has a capability
- Docker: Is there a `docker ps` command that lists only privileged containers?
- How can I find out which capabilities a container has been given?
- Bash run docker command only if user has privileges (Bash if or statement)
- Run command as --privileged in Dockerfile