1. Introduction

1.1 Tutorial's Goal

In this tutorial, we aim to shed light on one of the most critical aspects of Docker security: avoiding running Docker containers in privileged mode. By the end of this tutorial, you will be able to run Docker containers with limited privileges, enhancing the security of your Docker environment.

1.2 Learning Outcomes

• Understanding the risks of running Docker containers in privileged mode.
• Learning how to run Docker containers with limited privileges.
• Applying best security practices in Docker.

1.3 Prerequisites

• Basic knowledge of Docker.
• Docker installed on your system.

2. Step-by-Step Guide

2.1 Risks of Running Docker in Privileged Mode

When a container is run in privileged mode, it has all the capabilities of the host machine, which could lead to severe security issues if the container is compromised. This is similar to running a program as root on the host machine.

2.2 Running Docker Containers with Limited Privileges

The key to running Docker containers with limited privileges is to understand and appropriately use Docker’s --cap-add and --cap-drop options. These options allow you to control the capabilities of your Docker containers.

3. Code Examples

3.1 Example 1: Running a Container with Limited Capabilities

# Run a Docker container with only the necessary capabilities
docker run --cap-drop all --cap-add chown ubuntu

In this example, we are running an Ubuntu container with only the chown capability. The --cap-drop all option drops all capabilities, and the --cap-add chown option adds the chown capability.

3.2 Example 2: Checking the Capabilities of a Running Docker Container

# Check the capabilities of a running Docker container
docker exec -it <container_id> capsh --print

Replace <container_id> with the ID of your running Docker container. This command prints the capabilities of the running Docker container.

4. Summary

In this tutorial, you've learned about the risks of running Docker containers in privileged mode and how to avoid them by running containers with limited privileges. You've also learned how to use Docker’s --cap-add and --cap-drop options and how to check the capabilities of a running Docker container.

For further learning, you can explore other Docker security features such as user namespaces, seccomp profiles, and more.

5. Practice Exercises

5.1 Exercise 1: Run a Docker Container with Only the setgid and setuid Capabilities

Hint: Use the --cap-add option to add the setgid and setuid capabilities.

5.2 Exercise 2: Check the Capabilities of the Docker Container You Just Ran

Hint: Use the docker exec -it <container_id> capsh --print command to print the capabilities of the running Docker container.

5.3 Exercise 3: Try Running a Command That Requires a Capability That the Docker Container Does Not Have

Hint: Try running the ping command in a Docker container that does not have the net_raw capability.

5.4 Solutions

The solutions for the exercises are as follows:

5.4.1 Solution for Exercise 1

docker run --cap-drop all --cap-add setgid --cap-add setuid ubuntu

5.4.2 Solution for Exercise 2

docker exec -it <container_id> capsh --print

5.4.3 Solution for Exercise 3

If you try to run the ping command in a Docker container that does not have the net_raw capability, you will get an error message. This is because the ping command requires the net_raw capability to function correctly.