Comment on Exposing docker socket to a container
i_am_not_a_robot@discuss.tchncs.de 5 hours agoMounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.
5ymm3trY@discuss.tchncs.de 5 hours ago
There are lots of articles out there that say the opposite. Not about Watchtower per se, but giving a container access to the socket is generally a bad idea from a security point of view.
i_am_not_a_robot@discuss.tchncs.de 2 hours ago
Giving a container access to the docker socket allows container escapes, but if you’re doing it on purpose with a service designed for that purpose there is no problem. Either you trust Watchtower to manage the other containers on your system or you don’t. Whether it’s managing the containers through a mounted docker socket or with direct socket access doesn’t make a difference in security.
I don’t know if anybody seriously uses Watchtower, but I wouldn’t be surprised. I know that companies use tools like Argo CD, which has a larger attack surface and a similar level of system access via its Kubernetes service user.
5ymm3trY@discuss.tchncs.de 5 minutes ago
I think I get where your coming from. In this specific case of Watchtower it is not a security flaw it just uses the socket to do what it is supposed to do. You either trust them and live with the risks it comes with or you don’t and find another solution. I used Watchtower as the example because it was the first one I came across that needs this access. There might be a lot of other containers out there that use this, so I wanted to hear peoples opinions on this topic and their approach.