Introduction

Docker privileged mode usually appears in one of two situations: a container only works after adding --privileged, or a security review flags a workload that is already running with full host access. The right fix is to determine what the container actually needs instead of treating --privileged as a normal runtime setting.

Symptoms

  • A container fails with operation not permitted until --privileged is added
  • Security scans or platform policy reject privileged containers
  • The workload needs access to /dev, iptables, nested container tools, or low-level networking
  • A CI job or debugging container works locally but is blocked in shared environments

Common Causes

  • --privileged was added as a quick workaround and never revisited
  • The workload needs only one or two Linux capabilities, not full host access
  • Required devices or mounts were not passed explicitly
  • Seccomp or AppArmor restrictions block a narrow syscall path

Step-by-Step Fix

  1. 1.Confirm whether the container is already privileged
  2. 2.Check the current runtime flags before changing the image or entrypoint.
bash
docker inspect --format '{{.HostConfig.Privileged}}' <container>
docker inspect --format '{{json .HostConfig.CapAdd}}' <container>
  1. 1.Identify the exact permission or device the workload needs
  2. 2.Look for the failing operation in the container logs or startup script.
bash
docker logs <container>
  1. 1.Replace full privilege with targeted capabilities or device mappings
  2. 2.Most containers need a small subset of access instead of unrestricted host control.
bash
docker run --cap-add=NET_ADMIN --device /dev/net/tun my-image
  1. 1.Review security options separately from capability needs
  2. 2.If seccomp or another runtime profile is the blocker, fix that path directly.
bash
docker run --security-opt seccomp=unconfined --cap-add=SYS_ADMIN my-image
  1. 1.If full privilege is unavoidable, isolate the workload
  2. 2.Keep privileged containers off shared hosts and reduce surrounding risk where possible.
bash
docker run --privileged --network none --read-only my-image

Prevention

  • Start from least privilege and add only the required capabilities
  • Document required devices, mounts, and capabilities per container
  • Keep privileged workloads isolated from shared multi-tenant hosts
  • Treat --privileged as an exception that needs review, not as the default fix