When working with Docker, containers are designed to be isolated and restricted from performing sensitive host operations like mounting filesystems, managing devices, or manipulating the kernel. This security model is great for safety - but sometimes, it gets in the way when you need low-level system access. This tutorial explains how to run Docker container in privileged mode.
Try running a standard Ubuntu container:
docker run -it --rm ubuntuInside the container, run the following commands to mount a temporary file system (tmpfs) to /mnt/test:
mkdir -p /mnt/testmount -t tmpfs none /mnt/testYou'll get an error:
mount: /mnt/test: permission denied.
dmesg(1) may have more information after failed mount system call.This happens because mounting filesystems requires elevated capabilities (CAP_SYS_ADMIN), which are not available in standard containers for security reasons.
Privileged mode gives the container almost full access to the host system, including capabilities and devices that are normally blocked.
Here's how to run the same container with --privileged:
docker run -it --rm --privileged ubuntuNow inside the container, repeat the same commands to mount tmpfs.
Check the disk space usage in a human-readable format using the following command:
df -hOutput example:
Filesystem Size Used Avail Use% Mounted on
overlay 39G 11G 26G 30% /
tmpfs 64M 0 64M 0% /dev
shm 64M 0 64M 0% /dev/shm
/dev/mapper/ubuntu--vg-ubuntu--lv 39G 11G 26G 30% /etc/hosts
none 12G 0 12G 0% /mnt/testYou can now see that the tmpfs mount at /mnt/test succeeded.
Using --privileged is powerful - and dangerous:
- The container gets access to all devices.
- It can mount filesystems, modify host networking, and more.
- It effectively runs as root on the host.
Avoid using --privileged in production unless you absolutely need to, and only with trusted images.
Leave a Comment
Cancel reply