Skip to content
/ swarmkit-privileged Public
forked from moby/swarmkit

A toolkit for orchestrating distributed systems at any scale. It includes primitives for node discovery, raft-based consensus, task scheduling and more. This version allow privileged container creation. Do not use privileged flag if you do not understand what you are doing.

License

Apache-2.0 license
1 star 617 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

guilh22/swarmkit-privileged

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4,363 Commits
.circleci
.circleci
 
 
.github
.github
 
 
agent
agent
 
 
api
api
 
 
ca
ca
 
 
cli
cli
 
 
cmd
cmd
 
 
connectionbroker
connectionbroker
 
 
design
design
 
 
hack
hack
 
 
identity
identity
 
 
integration
integration
 
 
internal
internal
 
 
ioutils
ioutils
 
 
log
log
 
 
manager
manager
 
 
node
node
 
 
protobuf
protobuf
 
 
remotes
remotes
 
 
swarmd
swarmd
 
 
template
template
 
 
testutils
testutils
 
 
tools
tools
 
 
vendor
vendor
 
 
version
version
 
 
volumequeue
volumequeue
 
 
watch
watch
 
 
xnet
xnet
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
BUILDING.md
BUILDING.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
MAINTAINERS
MAINTAINERS
 
 
Makefile
Makefile
 
 
Protobuild.toml
Protobuild.toml
 
 
README.md
README.md
 
 
codecov.yml
codecov.yml
 
 
containerized.mk
containerized.mk
 
 
direct.mk
direct.mk
 
 
doc.go
doc.go
 
 
docker-bake.hcl
docker-bake.hcl
 
 
docker-sync.yml
docker-sync.yml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

SwarmKit-Privileged

PkgGoDev CI Status Go Report Card codecov

Overview

SwarmKit-Privileged is a fork of the original SwarmKit project. This fork's primary goal is to enable the use of the privileged flag for containers managed by Docker Swarm, allowing certain applications requiring elevated permissions to run in Swarm.

Important: The privileged flag should only be used by users who fully understand the security implications. Running containers in privileged mode can expose the host system to serious security vulnerabilities.

For all other documentation and usage, you can still refer to the original SwarmKit repository. This fork mainly adds support for the privileged flag, and all other features remain consistent with the upstream project.

Special ShoutOut: A big thanks to olljanat for most of the groundwork that made this fork possible.

Key Changes in This Fork

  • Support for privileged Containers: This fork introduces support for the privileged flag in Docker Compose and Swarm services. This allows containers to run with full privileges, similar to how Kubernetes handles privileged containers.

    Example docker-compose.yml:

    version: '3.8'
services:
  myservice:
    image: nginx
    privileged: true
    deploy:
      replicas: 1

  • Security Considerations: Enabling privileged containers grants elevated access to the host system, which can compromise its security. Only use the privileged flag in environments where the risks are well-understood and mitigated. We recommend using this feature only when absolutely necessary and in controlled environments.

Features

Apart from the privileged container support, SwarmKit-Privileged retains all the original SwarmKit features, including:

  • Distributed: Uses the Raft Consensus Algorithm for coordination and fault tolerance.
  • Secure: Provides mutual TLS for secure node communication and certificate rotation.
  • Simple: Operates without requiring external databases or complex setups.
  • Orchestration: Provides desired state reconciliation, service types, configurable updates, and restart policies.
  • Scheduling: Aware of node resources and constraints to place tasks efficiently.
  • Cluster Management: Dynamic role changes, node draining, and more for flexible cluster management.
  • Security: Offers mutual TLS, token-based joins, and automated certificate rotations.

Security Warning

Warning: The privileged flag grants containers root-level access to the host machine, which can significantly increase the attack surface and compromise system security. It should only be used by experienced administrators who understand the potential risks and can manage them properly.

DO NOT use the privileged flag unless you have a clear understanding of what it does and why it’s necessary for your use case.

For more detailed usage examples and features, please refer to the original SwarmKit documentation.

About

A toolkit for orchestrating distributed systems at any scale. It includes primitives for node discovery, raft-based consensus, task scheduling and more. This version allow privileged container creation. Do not use privileged flag if you do not understand what you are doing.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 97.9%
  • TLA 1.6%
  • Other 0.5%