Build with docker and --privileged
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The --privileged flag in Docker gives a container almost full access to the host system — all Linux capabilities, all devices, and the ability to modify kernel parameters. While this is sometimes necessary for builds that need low-level system access (like building kernel modules, running Docker-in-Docker, or mounting filesystems), it completely breaks container isolation. The better approach is to grant only the specific capabilities needed using --cap-add rather than opening everything with --privileged.
What --privileged Does
A normal Docker container runs with a restricted set of Linux capabilities. The --privileged flag removes those restrictions:
Specifically, --privileged grants:
- All Linux capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SYS_PTRACE, etc.)
- Access to all host devices (
/dev/sda,/dev/mem, etc.) - Ability to mount filesystems, load kernel modules, and modify kernel parameters
- Disabled seccomp, AppArmor, and SELinux profiles
Building with --privileged
Some build operations require privileges not available in a standard container:
In Docker BuildKit, use --allow security.insecure instead of --privileged for build-time privileges:
Safer Alternatives
Instead of --privileged, use the minimum capabilities needed:
Common Capability Mappings
| Use Case | Capability | Instead of --privileged |
| Network configuration | --cap-add NET_ADMIN | Yes |
| Mount filesystems | --cap-add SYS_ADMIN | Yes |
| Debug with ptrace | --cap-add SYS_PTRACE | Yes |
| Modify system time | --cap-add SYS_TIME | Yes |
| Access raw sockets | --cap-add NET_RAW | Yes |
| Load kernel modules | --cap-add SYS_MODULE | Yes |
Docker-in-Docker Without --privileged
For CI/CD pipelines that need to build Docker images, avoid --privileged by using rootless alternatives:
Docker Compose with Privileged
Common Pitfalls
- Using --privileged for Docker-in-Docker in CI: Mounting the Docker socket (
-v /var/run/docker.sock) or using Kaniko is safer.--privilegedin CI gives every build full host access, which is a major security risk. - Leaving --privileged in production: The flag is sometimes added during debugging and forgotten. A privileged container can escape to the host — never use it in production deployments.
- Not dropping capabilities first: When using
--cap-add, also use--cap-drop ALLto start with zero capabilities, then add only what you need. Without--cap-drop ALL, the container still has the default set. - Assuming --privileged is needed for /dev access: Use
--device /dev/fuseor--device /dev/kvmto expose specific devices.--privilegedexposes every device on the host. - BuildKit security flag confusion:
docker buildx build --allow security.insecureis build-time only and scoped to individual RUN steps. It is safer than running the entire container as privileged.
Summary
--privilegedgives a container full host access — all capabilities, all devices, disabled security profiles- Use
--cap-addwith specific capabilities instead of--privilegedwhenever possible - For Docker-in-Docker builds, prefer socket mounting, Kaniko, or rootless BuildKit
- In Docker Compose, use
cap_addandcap_drop: [ALL]for fine-grained control - Never leave
--privilegedin production — it is a debugging and build-time convenience, not a runtime configuration

