I do understand that giving access to the docker daemon by binding the socket inside the container is a risk to start with, but I have a scenario which I would appreciate some insight on how safe it is from someone knowledgeable…
There is a host running a docker container which runs an application as a user,
The host docker socket is mounted inside the docker container and a script is created by root,
app does not have access rights on the mounted docker socket, but is allowed to run
/usr/local/run_other_docker.sh after being given passwordless access as a sudoer.
How dangerous is this?
Is there a standard way of doing such a thing?
I’ve been searching and the only solution that does not include tricks seems to be creating a microservice that runs in the second container for the first one to call, which can be a pain as it adds more things asking for maintaintenance for each such use case…