From ac7c928853fe17705440ccb75cc7318325cead5a Mon Sep 17 00:00:00 2001
From: Sonic Build Admin <sonicbld@microsoft.com>
Date: Thu, 12 Mar 2026 02:24:27 +0000
Subject: [PATCH] [docker-otel] limit privileged flag for otel container

<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)

##### Work item tracking
- Microsoft ADO **(number only)**:

#### How I did it

#### How to verify it
Run otel sonic-mgmt tests
```
admin@vlab-01:~$ docker inspect otel | grep Privi
            "Privileged": false,
```
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 202305
- [ ] 202311
- [ ] 202405
- [ ] 202411
- [ ] 202505
- [x] 202511

#### Tested branch (Please provide the tested image version)
202412
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- [ ] <!-- image version 1 -->
- [ ] <!-- image version 2 -->

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->

<!--
 Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->

Signed-off-by: Sonic Build Admin <sonicbld@microsoft.com>

#### A picture of a cute animal (not mandatory but encouraged)
---
 rules/docker-otel.mk | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/docker-otel.mk b/rules/docker-otel.mk
index d368e2135e..4c0a1346fc 100644
--- a/rules/docker-otel.mk
+++ b/rules/docker-otel.mk
@@ -32,7 +32,6 @@ $(DOCKER_OTEL)_RUN_OPT += -v /:/mnt/host:ro
 $(DOCKER_OTEL)_RUN_OPT += -v /tmp:/mnt/host/tmp:rw
 $(DOCKER_OTEL)_RUN_OPT += -v /var/tmp:/mnt/host/var/tmp:rw
 $(DOCKER_OTEL)_RUN_OPT += --pid=host
-$(DOCKER_OTEL)_RUN_OPT += --privileged
 $(DOCKER_OTEL)_RUN_OPT += --userns=host
 
 $(DOCKER_OTEL)_BASE_IMAGE_FILES += monit_otel:/etc/monit/conf.d