LTS

    Innovation Version

      Privileged Container

      Scenarios

      By default, iSulad starts common containers that are suitable for starting common processes. However, common containers have only the default permissions defined by capabilities in the /etc/default/isulad/config.json directory. To perform privileged operations (such as use devices in the /sys directory), a privileged container is required. By using this feature, user root in the container has root permissions of the host. Otherwise, user root in the container has only common user permissions of the host.

      Usage Restrictions

      Privileged containers provide all functions for containers and remove all restrictions enforced by the device cgroup controller. A privileged container has the following features:

      • Secomp does not block any system call.

      • The /sys and /proc directories are writable.

      • All devices on the host can be accessed in the container.

      • All system capabilities will be enabled.

      Default capabilities of a common container are as follows:

      Capability Key

      Description

      SETPCAP

      Modifies the process capabilities.

      MKNOD

      Allows using the system call mknod() to create special files.

      AUDIT_WRITE

      Writes records to kernel auditing logs.

      CHOWN

      Modifies UIDs and GIDs of files. For details, see the chown(2).

      NET_RAW

      Uses RAW and PACKET sockets and binds any IP address to the transparent proxy.

      DAC_OVERRIDE

      Ignores the discretionary access control (DAC) restrictions on files.

      FOWNER

      Ignores the restriction that the file owner ID must be the same as the process user ID.

      FSETID

      Allows setting setuid bits of files.

      KILL

      Allows sending signals to processes that do not belong to itself.

      SETGID

      Allows the change of the process group ID.

      SETUID

      Allows the change of the process user ID.

      NET_BIND_SERVICE

      Allows bounding to a port whose number is smaller than 1024.

      SYS_CHROOT

      Allows using the system call chroot().

      SETFCAP

      Allows transferring and deleting capabilities to other processes.

      When a privileged container is enabled, the following capabilities are added:

      Capability Key

      Description

      SYS_MODULE

      Loads and unloads kernel modules.

      SYS_RAWIO

      Allows direct access to /devport, /dev/mem, /dev/kmem, and original block devices.

      SYS_PACCT

      Allows the process BSD audit.

      SYS_ADMIN

      Allows executing system management tasks, such as loading or unloading file systems and setting disk quotas.

      SYS_NICE

      Allows increasing the priority and setting the priorities of other processes.

      SYS_RESOURCE

      Ignores resource restrictions.

      SYS_TIME

      Allows changing the system clock.

      SYS_TTY_CONFIG

      Allows configuring TTY devices.

      AUDIT_CONTROL

      Enables and disables kernel auditing, modifies audit filter rules, and extracts audit status and filtering rules.

      MAC_ADMIN

      Overrides the mandatory access control (MAC), which is implemented for the Smack Linux Security Module (LSM).

      MAC_OVERRIDE

      Allows MAC configuration or status change, which is implemented for Smack LSM.

      NET_ADMIN

      Allows executing network management tasks.

      SYSLOG

      Performs the privileged syslog(2) operation.

      DAC_READ_SEARCH

      Ignores the DAC access restrictions on file reading and catalog search.

      LINUX_IMMUTABLE

      Allows modifying the IMMUTABLE and APPEND attributes of a file.

      NET_BROADCAST

      Allows network broadcast and multicast access.

      IPC_LOCK

      Allows locking shared memory segments.

      IPC_OWNER

      Ignores the IPC ownership check.

      SYS_PTRACE

      Allows tracing any process.

      SYS_BOOT

      Allows restarting the OS.

      LEASE

      Allows modifying the FL_LEASE flag of a file lock.

      WAKE_ALARM

      Triggers the function of waking up the system, for example, sets the CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers.

      BLOCK_SUSPEND

      Allows blocking system suspension.

      Usage Guide

      iSulad runs the --privileged command to enable the privilege mode for containers. Do not add privileges to containers unless necessary. Comply with the principle of least privilege to reduce security risks.

      isula run --rm -it --privileged busybox
      

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份