Concerns About Creating a Docker Container With Optional Flags

Some online Docker literature suggests creating a new Docker container (e.g., the "docker run" command) with these two options:

--net=host --privileged=true

There are some caveats with these flags.  First, if you use them, within your container you can make changes to the Docker server itself.*  For some applications, this defeats Docker's purpose.  Secondly, if the application you run in Docker becomes compromised, the entire host could be vulnerable to an attack through the Docker container.*  For theoretical testing or unimportant servers protected by a firewall behind intrusion detection systems, these flags are probably acceptable to use.

Docker 1.10 has resolved bugs in the networking.  It may be advisable to upgrade to this version or higher.  It may help you obviate the desire to potentially create new Docker containers with the two flags above.

* Taken from page 82 of Docker Cookbook written by Sebastien Goasguen.

Leave a comment

Your email address will not be published. Required fields are marked *