#StackBounty: #docker Docker execution in docker container: is there a safe way to do it?

Bounty: 100

I do understand that giving access to the docker daemon by binding the socket inside the container is a risk to start with, but I have a scenario which I would appreciate some insight on how safe it is from someone knowledgeable…

There is a host running a docker container which runs an application as a user, app.
The host docker socket is mounted inside the docker container and a script is created by root, /usr/local/run_other_docker.sh.

Now, user app does not have access rights on the mounted docker socket, but is allowed to run /usr/local/run_other_docker.sh after being given passwordless access as a sudoer.

How dangerous is this?
Is there a standard way of doing such a thing?

I’ve been searching and the only solution that does not include tricks seems to be creating a microservice that runs in the second container for the first one to call, which can be a pain as it adds more things asking for maintaintenance for each such use case…

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.