/var/run/docker.sock 的 Docker 安全风险是什么? [英] What is the Docker security risk of /var/run/docker.sock?

问题描述

在这篇博客文章中，我发现评论中的以下引用:

In this blog article, I found the quote below in a comment:

本·费什曼

是的——你说得对，我应该指出 Docker 套接字的安全问题.这是目前在生产中实用的主要障碍，正如您从待办事项列表中注意到的那样，我们肯定会寻求帮助以使其更好地工作.

Yes – you're right I should have pointed out the security issue with the Docker socket. That's currently the main blocker to this being practical in production and we're definitely looking for help to make it work better, as you noticed from the to-do list.

虽然我确信这对许多人来说是有意义的，但对于我们其他人来说，有人能用明确的术语解释这个安全问题"究竟是什么吗?我假设它指的是:

While I am sure this made sense to many, for the rest of us, could someone explain in clear terminology exactly what this "security issue" is? I assume it refers to:

    volumes:
  - "/var/run/docker.sock:/var/run/docker.sock"

在 docker-compose 文件中.那是对的吗?这将如何被利用?这是否有效地禁止了这种方法在生产中的使用?如果是这样，是否有解决方法?

in the docker-compose file. Is that correct? How would this be exploited? Does this effectively prohibit this approach from Production usage? If so, is there a workaround?

推荐答案

对于我们其他人，有人能用清晰的术语解释这个安全问题"到底是什么吗?

for the rest of us, could someone explain in clear terminology exactly what this "security issue" is?

docker 的所有者 /var/run/docker.sock 是运行容器的主机的 root，默认组成员为 docker 组.这就是为什么在另一个容器中安装 var/run/docker.sock 会为您提供 root 权限，因为现在您可以执行任何具有 docker<组成员资格的 root 用户/code> 可以.

The owner of the docker /var/run/docker.sock is root of the host where the container is running, with default group membership to docker group. That's why mounting var/run/docker.sock inside another container gives you root privileges since now you can do anything that a root user with group membership of docker can.

这是否有效地禁止了这种方法在生产环境中的使用?如果是这样，是否有解决方法?

Does this effectively prohibit this approach from Production usage? If so, is there a workaround?

解决方法可能是这些帖子会有所帮助:https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ 和 https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/

For a workaround may be these posts will help: https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ and https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/

退后一步，了解需要挂载 var/run/docker.sock 的用例并查看是否有其他方法来满足用例会很有用.不幸的是，如果没有问题中的用例描述，则很难提供避免安装 unix 套接字的替代方案.

Taking a step back, it would be useful to understand the usecase where you need to mount var/run/docker.sock and see if there are alternative ways to satisfying the usecase. Unfortunately, without a usecase description in the question, it is difficult to provide an alternative which avoids mounting the unix socket.

祝你好运，努力做正确的事！

Good luck and kudos for trying to do the right thing!

这篇关于/var/run/docker.sock 的 Docker 安全风险是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！