Exposing docker socket to a container

Submitted ⁨⁨6⁩ ⁨hours⁩ ago⁩ by ⁨5ymm3trY@discuss.tchncs.de⁩ to ⁨selfhosted@lemmy.world⁩

Do you guys expose the docker socket to any of your containers or is that a strict no-no? What are your thoughts behind it if you don’t? How do you justify this decision from a security standpoint if you do?

I am still fairly new to docker but I like the idea of something like Watchtower. Even though I am not a fan of auto-updates and I probably wouldn’t use that feature I still find it interesting to get a notification if some container needs an update. However, it needs to have access to the docker socket to do its work and I read a lot about that and that this is a bad idea which can result in root access on your host filesystem from within a container.

There are probably other containers as well especially in this whole monitoring and maintenance category, that need that privilege, so I wanted to ask how other people handle this situation.

Cheers!

source

Comments

Sort:hotnew top

glizzyguzzler@piefed.blahaj.zone ⁨2⁩ ⁨hours⁩ ago
Per this guide https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html I do not. I have a cron/service script that updates containers automatically (‘docker compose pull’ I think) that I don’t care if they fail for a bit (pdf converter, RSS reader, etc.) or they’re exposed to the internet directly (Authentik, caddy).

Note that smart peeps say that the docker socket is not safe as read-only. Watchtower is inherently untenable sadly, so is Traefik (trusting a docker-socket-proxy container with giga root permissions only made sense to me if you could audit the whole thing and keep auditing with updates and I cannot). https://stackoverflow.com/a/52333163 https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html

I then just have scripts to do the ‘docker compose pull’ for things with oodles of breaking changes (Immich) or things I’d care if they did break suddenly (paperless).

Overall, I’ve only had a few break over a few years - and that’s because I also run all services (per link above) as a user, read-only, and with no capabilities (that aren’t required, afaik none need any). And while some containers are well coded, many are not, and if an update makes changes that want to write to ‘/npm/staging’ suddenly, the read-only torches that until I can figure it out and put in a tmpfs fix. The few failures are worth the peace of mind that it’s locked the fuck down.

I hope to move to podman sometime to eliminate the last security risk - the docker daemon running the containers, which runs as root. Rootless docker seems to be a significant hassle to do at any scale, so I haven’t bothered with that.

source
- 5ymm3trY@discuss.tchncs.de ⁨12⁩ ⁨minutes⁩ ago
  Thank you for your comment and the resources you provided. I definitely look into these. I like your approach of minimizing the attack surface. As I said, I am still new to all of this and I came across the user option of docker compose just recently when I installed Jellyfin. However, I thought the actual container image has to be configured in a way so that this is even possible. Otherwise you can run into permission errors and such. Do you just specify a non-root user and see if it still works?
  
  And while we’re at it, how would you setup something like Jellyfin with regards to read-write permissions? I currently haven’t restricted it to read-only and in my current setup I most certainly need write permissions as well because I store the artwork in the respective directories inside my media folder. Would you just save these files to the non-persisted storage inside the container because you can re-download them anyway and keep the media volume as read-only?
  
  source
Eirikr70@jlai.lu ⁨3⁩ ⁨hours⁩ ago
I use Watchtower just to notify me of the updates. So the docker socket is read-only.

source
- 5ymm3trY@discuss.tchncs.de ⁨2⁩ ⁨hours⁩ ago
  Interesting. I just skimmed through the documentation again and couldn’t find anything about read-only. How did you set it up exactly? Just because it isn’t auto-updating i.e. writing something, doesn’t necessarily mean it doesn’t have write privileges.
  
  source
InnerScientist@lemmy.world ⁨6⁩ ⁨hours⁩ ago
I just follow the software release pages with RSS.

source
- 5ymm3trY@discuss.tchncs.de ⁨5⁩ ⁨hours⁩ ago
  That is actually a pretty good idea. I wanted to try out FreshRSS anyways, so this might be one more reason to do that. Thanks!
  
  source
LainTrain@lemmy.dbzer0.com ⁨6⁩ ⁨hours⁩ ago
Is the container exposed to the internet?

If yes, do not.

If no, I think it will be ok so long as it’s actually not exposed to the internet, e.g. ideally behind NAT with no port forwards and all ipv6 traffic turned off or some other deny all inbound firewall outside the system itself that sits between it and the system on which the container runs.

source
- 5ymm3trY@discuss.tchncs.de ⁨5⁩ ⁨hours⁩ ago
  No, none of my containers are exposed to the internet and I don’t intend to do so. I leave that to people with more experience. I have however setup the Wireguard VPN feature of my router to access my home network from outside which I need occasionally. But as far as I read, that is considered one of the savest options IF you have to make it available. No outside access is of course always preferred.
  
  source
brewery@feddit.uk ⁨6⁩ ⁨hours⁩ ago
Sorry this doesn’t answer your question really but I’ve had issues when I used to auto update containers so stopped doing that. Some things have breaking changes, others just had issues in that release that caused me issues accessing stuff when not at home. I update every so often when I have ten minutes to do updates, check release notes and deal with any issues if they arise or roll back to that version. I spin up what’s up docker to see what’s changed then when finished, stop the container so it doesn’t keep on polling docker hub using my free allowance.

In short, it could be an option to spin it up, let it run, then stop the container so theres less risk it could be used for an attack.

source
- 5ymm3trY@discuss.tchncs.de ⁨5⁩ ⁨hours⁩ ago
  That is the exact reason why I wouldn’t use the auto-update feature. I just thought about setting it up to check for updates and give me some sort of notification. I just feel like a reminder every now and then helps me to keep everything up to date and avoid some sort of never change a running system mentality.
  
  Your idea about setting it up and only letting it run occasionally is definitely one to consider. It would at least avoid manually checking the releases of each container similar to the RSS suggestion of /u/InnerScientist
  
  source
  - brewery@feddit.uk ⁨5⁩ ⁨hours⁩ ago
    To be honest, you would get frequent notifications for updates that are probably more often than just to remind you. If you’re like me, you’ll just end up ignoring them anyway! There are a lot of small updates to a lot of software, most often not from a security point of view but just as people develop their projects. I update every week if I can but can be a couple of weeks, in which I start to feel “guilty” so when it builds up I know I have to do it
    
    source
    -> View More Comments
- i_am_not_a_robot@discuss.tchncs.de ⁨5⁩ ⁨hours⁩ ago
  Mounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.
  
  source
  - 5ymm3trY@discuss.tchncs.de ⁨5⁩ ⁨hours⁩ ago
    There are lots of articles out there that say the opposite. Not about Watchtower per se, but giving a container access to the socket is generally a bad idea from a security point of view.
    
    source
    -> View More Comments