Cockpit can manage containers via Docker. This functionality is present in the Cockpit docker package.
Cockpit communicates with the Docker daemon via its API via the
/var/run/docker.sock unix socket. The Docker API
is root equivalent, and on a properly configured system, only
can access the Docker API. If the currently logged in user is not
then Cockpit will try to
escalate the user's privileges via Polkit
or sudo before connecting to the socket.
Alternatively one may
docker unix group. Anyone in that
docker group can then access
the Docker API, and gain root privileges on the system. This
impacts system security
and is not recommended for general usage.
Similar container functionality is available on the command line via the
$ sudo docker run -ti fedora /bin/bash [root@57625bc8787e /]#