Proposal: option to disable docker exec #8664
Comments
|
Improving on the idea, there should be a set of commands that is allowed to execute within a given container, everything else is no-go. Gives the best of the both worlds but doesn't sound simple. |
|
If someone has access to Docker, they have access to your entire system, can join namepsaces, etc. |
|
Agree with @cpuguy83, at very least you are allowing |
|
Closing |
|
Specifically with
Additionally, from a philosophical standpoint, the To be clear tho, I do think that |
|
@inthecloud247 I think you could hijack API calls and deny those for exec, if that's your use-case. You could do this with a shim/wrapper over the docker API (or check how people are already doing this), and generally you should already have this in place if you are trying to alllow a subset of Docker commands for your users. Unrelated, but in #8703 I was discussing with @LK4D4 if this is going to become synchronous and returning the process exit code. I also see it as a tool for debugging/deployment, but no matter what people can/will do with it, I think it is useful as far as it is kept a generic command. |
|
@cpuguy83 @gdm85 The ability to filter API calls for different users should probably be included in base docker functionality. I haven't seen any public discussion of docker's 'enterprise' roadmap, but I hope there won't be an 'enterprise' docker version that supports ldap/pam or multiple user management. @gdm85 Agreed that we can definitely implement a shim/wrapper with devops glue. DevOps engineers twiddle their thumbs all day anyhow and could use some real work now and again. :D But seriously, expecting users to implement shims or wrappers to enhance security leads to situations where most users will simply be unprotected. If I'm helping a company secure their infrastructure in preparation for a PCI/ISO or security audit, I would either disable At least the new Docker 1.3 seems to now encourage secure api endpoint connections. But then allowing I'd be interested to contribute towards this effort if it's something that would be of interest to incorporate into docker core, but if not I'll try and use a non docker-specific workaround that I can use for other api-trusting-by-default systems like elasticsearch. The goal is something better than a custom nginx or haproxy setup, but that can be at least a way to get something in place. |
|
@inthecloud247 sorry but I think we have diverging views on who is the target user of docker. For me, it's the devops/engineer, so a person that already has full (root) trust on the host system. If in your case it's different please tell me where in Docker design/documentation it is pointed out that you can use Docker without full trust on host system, because I haven't seen it so far (although obviously would be interesting to know about this). I was mentioning that you ought write such wrapper because by design Docker does not expect nothing less than full trust (AFAIK), and of course you can desire more granular control but it has to be proposed as a feature request and then if it's in line with the goal and design principles of the project the devs might start work on it, e.g. it's not a bug. |
|
as @cpuguy83 has mentioned, anyone that has access to the docker socket has FULL access to the host system (and by extension every container on it), As such, I doubt the docker people will do something special for |
Just chiming in to be "that guy" and say you shouldn't be doing this. Using |
|
@nathanleclaire agreed that ppl shouldn't be using docker exec to mutate container state. But that said, I feel that it's likely that most of the devs I know will be doing this, and I think a lot of sysadmins are going to use this heavily by building up containers on startup using a bunch of external shell scripts run by docker exec. After reading through everyone's feedback, I think that there may be a way to make everyone fairly happy without requiring major modifications. So I would propose adding to a docker metadata equivalent of a "time last-modified" metadata common on filesystems. This wouldn't require additional logging or filtering. The current state metadata is like this: "State": {
"ExitCode": 0,
"FinishedAt": "0001-01-01T00:00:00Z",
"Paused": false,
"Pid": 19967,
"Restarting": false,
"Running": true,
"StartedAt": "2014-10-20T10:53:50.649532096Z"
},So with my proposal here, we could have a new state datapoint for "ModifiedAt": "State": {
"ExitCode": 0,
"FinishedAt": "0001-01-01T00:00:00Z",
"Paused": false,
"Pid": 19967,
"Restarting": false,
"Running": true,
"StartedAt": "2014-10-20T10:53:50.649532096Z",
"ModifiedAt": "2014-10-20T10:55:50.649532096Z"
},On container start, ModifiedAt would be set to the same at StartedAt. And thoughts? @jpetazzo @crosbymichael smells ok? :-) btw, thanks for the feedback here. It's good to get clarity on where the current community thinking is holding. Glad I asked before opening a pull request lol. EDIT: moved into new proposal #8768 . discussion / feedback on this should go there. |
|
my two pence on the issue: anyone running on a hosted situation is at the mercy of the sysadmins. I have root access to my hosts but so do the admins of the hosting company, which means they can tinker with my stuff. if you're running in an untrusted environment that is very much not good |
|
I think the core request is to find a way to programmatically prevent external modification of running containers. Yes, if you can run containers, you are already 'inside the henhouse'. I think that having a mechanism that does more than saying "well, you weren't supposed to modify it" as an option, particularly in a production environment would improve security. |
|
This is supported via authz plugins. |
Adding the ability to disable the docker exec command will help enhance security and encourage best practices for companies running docker on production systems.
The text was updated successfully, but these errors were encountered: