/var/run/docker.sock的Docker安全风险是什么? [英] What is the Docker security risk of /var/run/docker.sock?
问题描述
在此博客文章中,我发现下面的评论中的报价:
In this blog article, I found the quote below in a comment:
Ben Firshman
Ben Firshman
是的-您是没错,我应该指出Docker套接字的安全性问题。这是目前在生产中实用的主要障碍,正如您从待办事项列表中注意到的那样,我们一定在寻求帮助以使其更有效。
Yes – you're right I should have pointed out the security issue with the Docker socket. That's currently the main blocker to this being practical in production and we're definitely looking for help to make it work better, as you noticed from the to-do list.
虽然我确信这对许多人来说都是有意义的,但对于我们其他人来说,有人可以用清晰的术语确切地解释这个安全问题是什么吗?我假设它是指:
While I am sure this made sense to many, for the rest of us, could someone explain in clear terminology exactly what this "security issue" is? I assume it refers to:
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
。那是对的吗?它将如何被利用?这是否有效地禁止了这种方法在生产中的使用?如果是这样,有解决办法吗?
in the docker-compose file. Is that correct? How would this be exploited? Does this effectively prohibit this approach from Production usage? If so, is there a workaround?
推荐答案
对于我们其余的人,有人可以解释一下吗明确的术语究竟是什么安全问题?
for the rest of us, could someone explain in clear terminology exactly what this "security issue" is?
码头工人的所有者 / var / run / docker.sock
是运行容器的主机的 root
,默认组成员为 docker
组。这就是为什么在另一个容器中装载 var / run / docker.sock
会为您提供root特权的原因,因为您现在可以执行 root $ c $的任何操作c>组成员身份为
docker
的用户可以。
The owner of the docker /var/run/docker.sock
is root
of the host where the container is running, with default group membership to docker
group. That's why mounting var/run/docker.sock
inside another container gives you root privileges since now you can do anything that a root
user with group membership of docker
can.
这是否有效地禁止了这种方法在生产中的使用?如果是这样,是否有解决方法?
Does this effectively prohibit this approach from Production usage? If so, is there a workaround?
对于一种解决方法,这些帖子可能会有所帮助: https://integratedcode.us/2016/04/08/user-namespaces-sharing -the-docker-unix-socket / 和 https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/
For a workaround may be these posts will help: https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ and https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/
退后一步,了解需要挂载 var / run / docker.sock
的用例很有用。有其他方法可以满足用例。不幸的是,没有问题中的用例描述,很难提供一种避免安装unix套接字的替代方案。
Taking a step back, it would be useful to understand the usecase where you need to mount var/run/docker.sock
and see if there are alternative ways to satisfying the usecase. Unfortunately, without a usecase description in the question, it is difficult to provide an alternative which avoids mounting the unix socket.
尝试做正确的事的好运和荣誉!
Good luck and kudos for trying to do the right thing!
这篇关于/var/run/docker.sock的Docker安全风险是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!