How do I identify if a runc container is running as privileged?

Question

Regardless of docker/crio/containerd starting the container, is there a way to understand if the runc container is running as privileged one?

docker inspect does show privilegedness but I want to find out at the runc layer.

Answer 1

The state and the configuration of every runc container may be obtained from the $ROOT_DIR/$CONTAINER_ID/state.json file, where $ROOT_DIR is a root directory for a group of containers (usually managed by a specific higher-level runtime like Docker). For example, on my machine Docker uses the root dir /run/docker/runtime-runc/moby, thus, I can find the runc-level configuration of some container as follows:

# jq .config /run/docker/runtime-runc/moby/$CONTAINER_ID/state.json
{
  "no_pivot_root": false,
  "parent_death_signal": 0,
  "rootfs": "/var/lib/docker/overlay2/<CONTAINER_ID>/merged",
  "readonlyfs": false,
...
}

You can easily find out that this file does not contain fields like privileged. A quick search through runc source code shows that it does not have a notion of a privileged container, i.e. this is an abstraction from the higher levels. This means, in turn, that there is no simple way to determine, whether the container was started as a privileged one or not, from the runc level.

However, it is still possible to say whether the container has the same privileges as those which are granted by --privileged argument at the Docker level: the state.json file contains a list of capabilities, granted to the container; a list of device nodes, available to the container; seccomp mode and so on. From practical standpoint, it is unwise to waste your time on checking all these settings, so it is better just to look at docker inspect.