I'm curious about the safety of binding the Docker socket while supposedly limiting privileges. I'm working on a Docker Compose service that utilizes the Docker CLI. Here's a snippet of my service configuration:
service:
image: docker:28.3-cli
restart: always
container_name: service
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
entrypoint: >
/bin/sh -c '
...
docker exec ...;
...
'
networks:
- internal
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
The service interacts with the Docker command, and since it's on an `internal` network (akin to localhost), I believe it has no internet access and lacks capabilities. Given that, is there any risk of exploitation?
1 Answer
It looks like you're trying to ensure security while using the Docker socket. However, even if you're on an internal network and dropping capabilities, having access to the Docker socket can still let your service create networks and launch new containers, including privileged ones. Just being on localhost doesn’t fully shield you from potential issues.
Thanks for pointing that out! That's definitely something to consider.