I have the following Container Setup.
On a bare metal server two Docker Daemons are installed and running.
- Main Docker Daemon Runs my application containers exposing 80/443 to the outside world.
- Plugin Docker Daemon Runs some containers provided by the customer that communicate with my application via 80/443.
I would like give the customer access to the API (2376) of the Plugin Docker Daemon so that the customer can deploy/start/stop his own containers. The customer will only have access to the API not to the Host (SSH).
The problem I currently face is, what if the customers runs a container that does something insecure like
docker run -v /:/host/root Ubuntu rm -rf /host/root.
My question is what can I do to prevent the Plugin Docker Daemon from mounting root
/ or any other directory outside
- Is it an option to start the Docker Daemon in
- Can I use some LSM (Linux Security Modules SELinux/Apparmor) magic to prevent the docker daemon to mount some or all host paths except users home or var/docker/libs?
--userns-remaphelp me to achieve my goal?
- Are they any other options available except VMs?
The server belongs entirely to a single customer. So security or data leakage is not my primary concern. What I really want to prevent is that someone in Plugin Daemon is doing something stupid, that influences my containers that run in Main Docker Daemon. I would like to keep lean and stick to docker only workflow and don't won't to set up an extra workflow for VM creation.