Over a million developers have joined DZone.

Never Expose Docker Sockets. Period.

There are a lot of misconceptions in the Docker-user community right now about whether you can safely expose a Docker socket to another container. You can't.

· Cloud Zone

Download the Essential Cloud Buyer’s Guide to learn important factors to consider before selecting a provider as well as buying criteria to help you make the best decision for your infrastructure needs, brought to you in partnership with Internap.

A cryptographer at Rackspace recently blogged a warning to all Docker users: Don't expose the Docker sockets, even if it's to a container.

He writes that many developers believe that when you get write access to a Docker socket from a container that it doesn't effectively give you root access (it does) or that it keeps your access limited to that container without a way to break out (you can). 

Write access to the Docker socket is root on the host, regardless on where that write comes from. This is different from Jerome Pettazoni's dind, which gives you Docker-in-Docker;we're talking about access to the host's Docker socket.

-- lvh

He even made a video to demonstrate the flaw in one developer's setup:


The Cloud Zone is brought to you in partnership with Internap. Read Bare-Metal Cloud 101 to learn about bare-metal cloud and how it has emerged as a way to complement virtualized services.

Topics:
docker ,security

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}