I'm curious about the security aspects of mounting the Docker socket but with all capabilities dropped. Here's a snippet of my Docker Compose service configuration:
service:
image: docker:28.3-cli
restart: always
container_name: service
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
entrypoint: >
/bin/sh -c '
...
docker exec ...;
...
'
networks:
- internal
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
I have to mount the socket here since the service needs to run Docker commands. It's on an `internal` network, which connects only to localhost and has no external internet access. Given these security measures, is it still possible for this setup to be exploited?
4 Answers
Honestly, I'd say if your priority is security, avoid mounting the Docker socket entirely. Try connecting to the Docker TCP API instead or consider a socket proxy to limit permissions more effectively. And if you really want to be safe, think about running Docker rootless. Also, keep in mind, using ':ro' on the socket doesn’t really add security.
Just a heads up, even though it seems secure since you're on an internal network, the Docker socket can still allow you to create new networks and launch new containers, maybe even privileged ones.
Remember that the socket itself doesn't hold privileges; it connects directly to the Docker daemon. Any software that can access this socket can control the daemon as its user, so dropping capabilities in the container really doesn't help.
For anyone looking for alternatives, check out this Docker socket proxy: https://github.com/11notes/docker-socket-proxy.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically