I'm working on an open-source server manager for ARK that users can self-host. This manager currently runs in a single Docker container where it spins up multiple ARK server processes within it. To separate configurations and save files for each server, I've been using symlinks and some LD_PRELOAD tricks. However, I'm considering switching to a setup where each ARK server runs in its own container. This would allow for better organization and isolation but would also require that the manager has access to the Docker daemon on the host machine, by mounting the /var/run/docker.sock file in the manager's container. This raises some security concerns. The manager has a web API, and the frontend container interacts with it, but doesn't need privileged access. What are the potential security issues with this approach? Is there a safer way to execute this while minimizing vulnerabilities? Also, is switching to a container-based method a good idea compared to the current process-based setup?
5 Answers
Here's another perspective: since the main goal of containerizing each server seems to be isolating files, you could use chroot instead of full containers for server processes. This won't provide the same level of isolation as separate containers but could be easier to manage while still providing some isolation for configuration and save files. You might also consider offering different deployment options in your API for users who want to choose between chroot, Docker containers, or Kubernetes.
I think there's merit in your concerns about security when it comes to exposing a Docker socket. If a privileged container is managing multiple stacks, consider how tightly you control what runs inside that container. Using a message queue or a shared volume for requests can protect against direct command execution vulnerabilities. Just be careful with the type of commands you're allowing through—sending shell commands via API can open a world of problems!
I recommend not mounting the Docker socket directly. Instead, consider using a proxy like [docker-socket-proxy](https://github.com/tecnativa/docker-socket-proxy). This way, you can let users deploy the proxy alongside your other containers. The proxy can be configured to limit what your manager container can do, giving it only necessary permissions while still minimizing risk. Just remember to clearly document the dangers of exposing the Docker socket, even with a proxy in place.
Honestly, if you don't absolutely need Docker socket access, I wouldn't use it. Offloading the task of managing multiple server instances to seasoned system admins with tools like Ansible or Terraform might be a better and safer method. They can work around firewalls and DNS setups without exposing unnecessary risks.
About the Docker socket access, if your manager has that level of permission, privilege escalation becomes a bigger deal inside the container. A rootless container solution like Podman might suit your needs better since it allows for non-root access to a Docker-compatible socket. It's also architecturally cleaner to run each server in its own container rather than using symlinks. Create two images: one for your management service and another for serving the ARK server. This setup can isolate vulnerabilities more effectively.
Related Questions
Raffle Ticket Generator
Instant Online Dice Roller
Sudoku Solver
Tambola Number Generator
Tambola Ticket Generator
UK Bingo Card Generator