-
-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run agent scanner components in separate docker containers #303
Comments
The primary concern with this idea is that the agent container (which handles communication with the server and orchestration of the sub-components) now can control the entire docker api, which is not really ideal for security. But it also means that the agent is in a higher trust zone because that container isn't actually communicating with anything directly. For example, a chrome 0day right now could result in the entire agent container being compromised. By putting subcomponents in different containers that are launched on demand, this would definitely increase the boundaries. How do we (safely) move files between containers? We don't just read stdout from nmap, we read the |
Agreed on the security aspects. I won't downplay those. There appear to be some players that perform ACL on the Docker API:
Options for moving files between containers:
|
Heh, we do already base64 the images as part of the blob across the wire so that everything needed for a scan to be processed is included in a single POST request (this has caused issues with nginx's |
Is your feature request related to a problem?
Issues with the existing solution of running everything in a single container:
Describe the feature you'd like
We could run the agent scanning components in separate Docker containers with separate images. The Natlas agent would bind mount the docker.sock into the container, then use the Docker API to orchestrate the worker containers and cleanup after it's done.
Have you considered alternative ways to get this feature
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: