Privileged containers

jiridudekusy · August 22, 2017, 1:43pm

Hello,
is there any way how to run privileged containers orchestered by docker swarm ? When i try deploy them via docker-compose i get information them compose is not able to deploy them to other swarm nodes and i have to use docker stack deploy. However when i use docker stqck deploy i get : Ignoring unsupported options: privileged .

smakam · August 24, 2017, 12:13pm

Currently, privileged services are not supported. There is a PR in works(https://github.com/moby/moby/issues/24862). 1 option that works in some applications like monitoring is to deploy the monitoring container in privileged mode and have it in the same network as other services in swarm mode.

ambs · March 2, 2021, 2:17pm

After three years, what is the status of privileged mode in swarm?

francishg · March 8, 2021, 4:43am

I have also been recently trying to find this answer, and to my knowledge unfortunately Docker Compose still does not support this option. It is due to the fact of how easy it is to make a container/service privileged, and the security vulnerabilities which lie in privileged mode. It is better to add capacities until the needs of the image are satisfied. Unfortunate for me, I’m not sure what capabilities are needed, so my image is not working.

uday1kiran · July 2, 2021, 1:41pm

I didn’t find any solution from any links. Can anyone please post a solution here for swarm

meyay · July 2, 2021, 3:16pm

Swarm never supported privliged containers, see: https://github.com/moby/moby/issues/25303

Though, I remember that swarm services recently added –cap-add, which allows to add capabilities one by one.

Oddly, the Compose File refence v3 explicitly says that cap_add is ignored for Swarm Stack deployments.

meyay · July 3, 2021, 7:49pm

That’s a docu bug! It works!

Here is the test:

cat << EOF | docker stack deploy --compose-file - caps_test
version: '3.9'
services:
  libcap:
    image: alpine
    deploy:
      restart_policy: 
        condition: none
    command: >
      sh -c "apk add --force --update-cache libcap
      && capsh --print"
EOF
cat << EOF | docker stack deploy --compose-file - caps_test
version: '3.9'
services:
  libcap:
    image: alpine
    deploy:
      restart_policy: 
        condition: none
    cap_add:
      - NET_ADMIN
    command: >
      sh -c "apk add --force --update-cache libcap
      && capsh --print"
EOF
docker service logs -f caps_test_libcap

This should deploy the service twice. You should be able to see the first and second log outputs (at least I do), though the second has additionaly cap_net_admin in the Current section.

After performing the test, don’t forget to cleanup the stack:

docker stack rm caps_test

Topic		Replies	Views
Docker stack ignores cap_add and privileged option within compose file Docker Hub	2	12512	October 18, 2017
How to run docker stack in Privileged mode General swarm	0	2574	January 18, 2021
Compose does not use swarm mode to deploy services to multiple nodes in a swarm General	1	2764	February 15, 2017
Ignoring unsupported options: privileged General docker	1	7792	September 3, 2018
Compose and Swarm do not work together General	3	3796	November 22, 2016

Privileged containers

Related topics