Privileged Container

Scenarios

By default, iSulad starts common containers that are suitable for starting common processes. However, common containers have only the default permissions defined by capabilities in the /etc/default/isulad/config.json directory. To perform privileged operations (such as use devices in the /sys directory), a privileged container is required. By using this feature, user root in the container has root permissions of the host. Otherwise, user root in the container has only common user permissions of the host.

Usage Restrictions

Privileged containers provide all functions for containers and remove all restrictions enforced by the device cgroup controller. A privileged container has the following features:

  • Secomp does not block any system call.

  • The /sys and /proc directories are writable.

  • All devices on the host can be accessed in the container.

  • All system capabilities will be enabled.

Default capabilities of a common container are as follows:

Capability Key

Description

SETPCAP

Modifies the process capabilities.

MKNOD

Allows using the system call mknod() to create special files.

AUDIT_WRITE

Writes records to kernel auditing logs.

CHOWN

Modifies UIDs and GIDs of files. For details, see the chown(2).

NET_RAW

Uses RAW and PACKET sockets and binds any IP address to the transparent proxy.

DAC_OVERRIDE

Ignores the discretionary access control (DAC) restrictions on files.

FOWNER

Ignores the restriction that the file owner ID must be the same as the process user ID.

FSETID

Allows setting setuid bits of files.

KILL

Allows sending signals to processes that do not belong to itself.

SETGID

Allows the change of the process group ID.

SETUID

Allows the change of the process user ID.

NET_BIND_SERVICE

Allows bounding to a port whose number is smaller than 1024.

SYS_CHROOT

Allows using the system call chroot().

SETFCAP

Allows transferring and deleting capabilities to other processes.

When a privileged container is enabled, the following capabilities are added:

Capability Key

Description

SYS_MODULE

Loads and unloads kernel modules.

SYS_RAWIO

Allows direct access to /devport, /dev/mem, /dev/kmem, and original block devices.

SYS_PACCT

Allows the process BSD audit.

SYS_ADMIN

Allows executing system management tasks, such as loading or unloading file systems and setting disk quotas.

SYS_NICE

Allows increasing the priority and setting the priorities of other processes.

SYS_RESOURCE

Ignores resource restrictions.

SYS_TIME

Allows changing the system clock.

SYS_TTY_CONFIG

Allows configuring TTY devices.

AUDIT_CONTROL

Enables and disables kernel auditing, modifies audit filter rules, and extracts audit status and filtering rules.

MAC_ADMIN

Overrides the mandatory access control (MAC), which is implemented for the Smack Linux Security Module (LSM).

MAC_OVERRIDE

Allows MAC configuration or status change, which is implemented for Smack LSM.

NET_ADMIN

Allows executing network management tasks.

SYSLOG

Performs the privileged syslog(2) operation.

DAC_READ_SEARCH

Ignores the DAC access restrictions on file reading and catalog search.

LINUX_IMMUTABLE

Allows modifying the IMMUTABLE and APPEND attributes of a file.

NET_BROADCAST

Allows network broadcast and multicast access.

IPC_LOCK

Allows locking shared memory segments.

IPC_OWNER

Ignores the IPC ownership check.

SYS_PTRACE

Allows tracing any process.

SYS_BOOT

Allows restarting the OS.

LEASE

Allows modifying the FL_LEASE flag of a file lock.

WAKE_ALARM

Triggers the function of waking up the system, for example, sets the CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers.

BLOCK_SUSPEND

Allows blocking system suspension.

Usage Guide

iSulad runs the –privileged command to enable the privilege mode for containers. Do not add privileges to containers unless necessary. Comply with the principle of least privilege to reduce security risks.

isula run --rm -it --privileged busybox

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。