Docker Community Forums

Share and learn in the Docker community.

Privileged containers

Hello,
is there any way how to run privileged containers orchestered by docker swarm ? When i try deploy them via docker-compose i get information them compose is not able to deploy them to other swarm nodes and i have to use docker stack deploy. However when i use docker stqck deploy i get : Ignoring unsupported options: privileged .

1 Like

Currently, privileged services are not supported. There is a PR in works(https://github.com/moby/moby/issues/24862). 1 option that works in some applications like monitoring is to deploy the monitoring container in privileged mode and have it in the same network as other services in swarm mode.

After three years, what is the status of privileged mode in swarm?

I have also been recently trying to find this answer, and to my knowledge unfortunately Docker Compose still does not support this option. It is due to the fact of how easy it is to make a container/service privileged, and the security vulnerabilities which lie in privileged mode. It is better to add capacities until the needs of the image are satisfied. Unfortunate for me, I’m not sure what capabilities are needed, so my image is not working.

I didn’t find any solution from any links. Can anyone please post a solution here for swarm

Swarm never supported privliged containers, see: https://github.com/moby/moby/issues/25303

Though, I remember that swarm services recently added –cap-add, which allows to add capabilities one by one.

Oddly, the Compose File refence v3 explicitly says that cap_add is ignored for Swarm Stack deployments.

That’s a docu bug! It works!

Here is the test:

cat << EOF | docker stack deploy --compose-file - caps_test
version: '3.9'
services:
  libcap:
    image: alpine
    deploy:
      restart_policy: 
        condition: none
    command: >
      sh -c "apk add --force --update-cache libcap
      && capsh --print"
EOF
cat << EOF | docker stack deploy --compose-file - caps_test
version: '3.9'
services:
  libcap:
    image: alpine
    deploy:
      restart_policy: 
        condition: none
    cap_add:
      - NET_ADMIN
    command: >
      sh -c "apk add --force --update-cache libcap
      && capsh --print"
EOF
docker service logs -f caps_test_libcap

This should deploy the service twice. You should be able to see the first and second log outputs (at least I do), though the second has additionaly cap_net_admin in the Current section.

After performing the test, don’t forget to cleanup the stack:

docker stack rm caps_test