Never Expose Docker Sockets. Period.
There are a lot of misconceptions in the Docker-user community right now about whether you can safely expose a Docker socket to another container. You can't.
Join the DZone community and get the full member experience.Join For Free
A cryptographer at Rackspace recently blogged a warning to all Docker users: Don't expose the Docker sockets, even if it's to a container.
He writes that many developers believe that when you get write access to a Docker socket from a container that it doesn't effectively give you root access (it does) or that it keeps your access limited to that container without a way to break out (you can).
Write access to the Docker socket is root on the host, regardless on where that write comes from. This is different from Jerome Pettazoni's
dind, which gives you Docker-in-Docker;we're talking about access to the host's Docker socket.
He even made a video to demonstrate the flaw in one developer's setup:
Opinions expressed by DZone contributors are their own.