I'm a university student managing a VPS for a DeFi project, where we run applications 24/7 using Docker and Docker-Compose. Currently, I have root access, but I'm looking to add another student to the server so they can deploy their own containers. I initially thought about adding them to the Docker group, but I've heard that this effectively gives them root-equivalent access to the entire host.
Here's my setup:
- OS: Ubuntu 22.04
- Stack: Docker Engine + Docker Compose
- Context: The VPS runs Python scripts, agents, and a PostgreSQL database, and it holds sensitive data and API keys.
My concerns are:
1. How big of a risk is giving someone access to the Docker group?
2. Is Rootless Docker the way to go, or are there better options? I've heard there can be issues with permissions and binding.
5 Answers
Have you considered using something like gVisor? It's useful for adding a security layer for untrusted code running in containers. However, make sure you assess your own threat model based on who’s using the server. In cases where you trust the student, you might not need such high security measures.
You should definitely be cautious with the Docker group! Adding someone to it does give them root access to your host, which can be a major security risk. A good practice is to put a system around Docker that automates proper isolation for different users, such as using Kubernetes or creating virtual machines (VMs) for each group. That way, everyone can have their own environment without compromising security.
If you're looking for a way to allow users to manage containers without full root access, consider using Podman instead of Docker. Podman can run in a rootless mode, which is safer since it's designed for lower privilege users. It's very similar to Docker, so you won't have to change much in your workflow!
Container isolation is tricky. For a real self-service solution, Kubernetes is designed for this, allowing each project or group to have their own namespace. But if you want something simpler, look into namespace remapping for Docker to keep a tight lid on access levels within your containers.
Kubernetes sounds like a huge undertaking, especially if you're just letting one student use it. Are there simpler options with Docker itself?
Using singularity is another alternative to consider. It offers a different approach to containerization, focusing on security and less privileged access, which seems to align with your needs.
That sounds interesting! I hadn't heard much about Podman. Is it really that easy to switch from Docker to Podman?