is there any way how to run privileged containers orchestered by docker swarm ? When i try deploy them via docker-compose i get information them compose is not able to deploy them to other swarm nodes and i have to use docker stack deploy. However when i use docker stqck deploy i get : Ignoring unsupported options: privileged .
Currently, privileged services are not supported. There is a PR in works(https://github.com/moby/moby/issues/24862). 1 option that works in some applications like monitoring is to deploy the monitoring container in privileged mode and have it in the same network as other services in swarm mode.
After three years, what is the status of privileged mode in swarm?
I have also been recently trying to find this answer, and to my knowledge unfortunately Docker Compose still does not support this option. It is due to the fact of how easy it is to make a container/service privileged, and the security vulnerabilities which lie in privileged mode. It is better to add capacities until the needs of the image are satisfied. Unfortunate for me, I’m not sure what capabilities are needed, so my image is not working.
I didn’t find any solution from any links. Can anyone please post a solution here for swarm
Swarm never supported privliged containers, see: https://github.com/moby/moby/issues/25303
Though, I remember that swarm services recently added –cap-add, which allows to add capabilities one by one.
Oddly, the Compose File refence v3 explicitly says that cap_add is ignored for Swarm Stack deployments.
That’s a docu bug! It works!
Here is the test:
cat << EOF | docker stack deploy --compose-file - caps_test version: '3.9' services: libcap: image: alpine deploy: restart_policy: condition: none command: > sh -c "apk add --force --update-cache libcap && capsh --print" EOF cat << EOF | docker stack deploy --compose-file - caps_test version: '3.9' services: libcap: image: alpine deploy: restart_policy: condition: none cap_add: - NET_ADMIN command: > sh -c "apk add --force --update-cache libcap && capsh --print" EOF docker service logs -f caps_test_libcap
This should deploy the service twice. You should be able to see the first and second log outputs (at least I do), though the second has additionaly
cap_net_admin in the
After performing the test, don’t forget to cleanup the stack:
docker stack rm caps_test