


In this blog article, I found the quote below in a comment:

Ben Firshman

Ben Firshman


Yes – you're right I should have pointed out the security issue with the Docker socket. That's currently the main blocker to this being practical in production and we're definitely looking for help to make it work better, as you noticed from the to-do list.


While I am sure this made sense to many, for the rest of us, could someone explain in clear terminology exactly what this "security issue" is? I assume it refers to:

  - "/var/run/docker.sock:/var/run/docker.sock"


in the docker-compose file. Is that correct? How would this be exploited? Does this effectively prohibit this approach from Production usage? If so, is there a workaround?


for the rest of us, could someone explain in clear terminology exactly what this "security issue" is?

码头工人的所有者 / var / run / docker.sock 是运行容器的主机的 root ,默认组成员为 docker 组。这就是为什么在另一个容器中装载 var / run / docker.sock 会为您提供root特权的原因,因为您现在可以执行 root $ c $的任何操作c>组成员身份为 docker 的用户可以。

The owner of the docker /var/run/docker.sock is root of the host where the container is running, with default group membership to docker group. That's why mounting var/run/docker.sock inside another container gives you root privileges since now you can do anything that a root user with group membership of docker can.


Does this effectively prohibit this approach from Production usage? If so, is there a workaround?

对于一种解决方法,这些帖子可能会有所帮助: https://integratedcode.us/2016/04/08/user-namespaces-sharing -the-docker-unix-socket / https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/

For a workaround may be these posts will help: https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ and https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/

退后一步,了解需要挂载 var / run / docker.sock 的用例很有用。有其他方法可以满足用例。不幸的是,没有问题中的用例描述,很难提供一种避免安装unix套接字的替代方案。

Taking a step back, it would be useful to understand the usecase where you need to mount var/run/docker.sock and see if there are alternative ways to satisfying the usecase. Unfortunately, without a usecase description in the question, it is difficult to provide an alternative which avoids mounting the unix socket.


Good luck and kudos for trying to do the right thing!