I've started setting up a home lab where I'm running Docker apps on a Debian server, with one VM for my exposed services and nginx as a proxy. I'm using 2FA for authentication and fail2ban for security. Now, I want to integrate Woodpecker CI with Docker, but I've noticed that the agent needs to mount the Docker socket, which makes me concerned about container security. I'm looking for advice on how to isolate these CI agent containers to prevent anyone from hijacking them and compromising my system. I initially planned to run all exposed services on the VM, but installing Docker on the VM seems redundant. I thought about managing my Docker setup with Portainer as well, but I'm relatively new to networking and security, so I appreciate any guidance!
1 Answer
To isolate your CI/CD setup, you might want to consider using a separate Docker installation with sysbox. This way, you'll get full isolation for your CI runners while still allowing them to install their own Docker instance for builds. It’s better to opt for Docker-in-Docker (DinD) with sysbox for added security.
Just to clarify, couldn't I also just install the sysbox runtime on my server itself, add it to the Docker daemon, and then configure the runners to use that runtime directly?