Merge pull request #20252 from vrothberg/privileged

containers.conf: add `privileged` field to containers table
2025-08-06 11:32:07 +08:00 · 2023-10-07 11:34:45 +00:00
parent b7f708a942 362eca6691
commit e9d6ffa8f0
14 changed files with 81 additions and 16 deletions
--- a/docs/source/markdown/options/privileged.md
+++ b/docs/source/markdown/options/privileged.md
@ -16,5 +16,8 @@ mode (**--systemd=always**).
 A privileged container turns off the security features that isolate the
 container from the host. Dropped Capabilities, limited devices, read-only mount
 points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+Due to the disabled security features, the privileged field should almost never
+be set as containers can easily break out of confinement.

-Rootless containers cannot have more privileges than the account that launched them.
+Containers running in a user namespace (e.g., rootless containers) cannot have
+more privileges than the user that launched them.