I came upon your cool project via HN, but at the same time there was another Hacker News thread running the front page: Host Your Blog on DigitalOcean with Docker, Nginx ....
The top comment here, by @cyphar , who warned strongly against giving access to the host's Docker socket:
volumes: - /var/run/docker.sock:/var/run/docker.sock:ro
Please for the love of all that is holy, do not ever do this! Giving access to the host's Docker socket is equivalent to giving a container unrestricted root access to your host. Mounting the socket read-only doesn't protect you in any way either, because you can still connect to and write to the socket! Seriously, try it:
% touch /tmp/docker.sock
% mount --bind -o ro /var/run/docker.sock /tmp/docker.sock # this is -v /var/run/docker.sock:/foo:ro
% docker -H unix:///tmp/docker.sock run --privileged -v /:/host -it ubuntu bash
# # I couldn't write to it, but I can connect and write to the connection...
# cat /host/etc/shadow # whoops!
(The full container escape is left as an exercise for the reader. It's pretty trivial though.)
To be fair, there are unix-like DAC controls that do restrict this somewhat but given that most people run containers as root or they don't use user namespaces this is still an issue.
Please stop doing this, please stop telling people to do this, and please stop making images that access docker.sock. I understand that this is something that a lot of people do, so it's obviously not exclusively the fault of the author for doing what the majority of people appear to be doing, but I think that this deserves to be said much stronger than it was in the past (people still expose Docker over the internet -- which is literally a free root-level RCE for anyone who figures out you're hosting it).
And yes, AuthZ plugins exist but nobody really uses them as far as I'm aware -- and personally (as someone who maintains container runtimes and other low-level container tools) I would not feel confident in depending on any AuthZ plugin's profile to protect against a container escape where you give unprivileged users access to /var/run/docker.sock. Even if I were to write one.
I am not the expert on the issue, but it may be worthwhile to investigate the implications more closely.
I came upon your cool project via HN, but at the same time there was another Hacker News thread running the front page: Host Your Blog on DigitalOcean with Docker, Nginx ....
The top comment here, by @cyphar , who warned strongly against giving access to the host's Docker socket:
I am not the expert on the issue, but it may be worthwhile to investigate the implications more closely.