Docker daemon runs as root?!

Drizzt321 · May 16, 2024

So seems like I'm going to have to be doing some work with docker and building/testing/running docker images in the very near future. I start to look into how to install/setup docker and I'm finding the daemon runs as root?! These days, that's a WTF.

Also, according to https://docs.docker.com/network/packet-filtering-firewalls/#restrict-connections-to-the-docker-hostBy default, all external source IPs are allowed to connect to the Docker host.

By default, all external source IPs are allowed to connect to the Docker host.

So this means I'm at a coffee shop and it's opened up the ports so anyone in the coffee shop can connect to my docker daemon?!

This is all ringing major alarm bells in my brain... or am I misunderstanding how docker daemon is configured/setup? Please tell me I am.

Lt_Storm · May 17, 2024

The docker host is just Docker's network layer used to connect containers to the network. That statement basically means that, by default, the coffee shop can connect to any containers you are running just like it could if you were running the same software outside Docker.

Of course, you probably should set network rules up to ensure that each container only talks to what it should. But, the docker host isn't the docker daemon.

Drizzt321 · May 17, 2024

Lt_Storm said:
The docker host is just Docker's network layer used to connect containers to the network. That statement basically means that, by default, the coffee shop can connect to any containers you are running just like it could if you were running the same software outside Docker.

Of course, you probably should set network rules up to ensure that each container only talks to what it should. But, the docker host isn't the docker daemon.

Ah, gotcha.

But still, running the daemon as root, hrm. Vast majority of daemons these days run as their own user.

senan79 · May 17, 2024

I think Podman was started due to this issue among other things. It is supposed to be a compatible replacement of docker.

Drizzt321 · May 17, 2024

senan79 said:
I think Podman was started due to this issue among other things. It is supposed to be a compatible replacement of docker.

Yeah, except for work, I want/need to have the exact same process flow. That way me being alt doesn't lead to "well, it works for everybody else".

Guess I'll just add a VM that I'll install it normally into.

koala · May 17, 2024

If you install podman-docker, you get a docker executable that just calls podman, they are mostly compatible. The big difference is volumes, if your distro uses SELinux, where you normally need --security-opt label=disable. It's worthwhile poking a bit and making it work on both systems. (E.g. on some distros it's easier to install podman).

OTOH, the stuff that allows you to automate a VM running Docker for Mac and Windows, often supports Linux too.

(At work we have some scripts that use Docker. Pretty much everyone wants to port them to Podman because everyone is a bit horrified of the flaws of Docker.)

Drizzt321 · May 17, 2024

koala said:
(At work we have some scripts that use Docker. Pretty much everyone wants to port them to Podman because everyone is a bit horrified of the flaws of Docker.)

Glad I'm not the only one, in my quick glance at installing/using it.

I can understand the appeal of containers. I can understand why in the earliest days it was a whole lot easier to just run as root. I can't understand why, as the threats have evolved, the last decade they've still kept the same model and not aimed to migrate to something less dangerous sigh

koala · May 17, 2024

Docker was a revolution; they basically invented "app containers", and they built a very nice product which is easy to use and which has some pretty good ideas.

However, they invented a lot of stuff, but they don't have gone back and reviewed all their decisions. Podman has basically done that, and it's a breath of fresh air. Plus, Podman keeps all the nice things about Docker.

(Disclaimer: I worked for a company working on Podman for four years, and I quit like 3 months ago. But really, everyone else on my team has no such relationship, and they push for Podman harder than me. [After all, I'm biased.])

Drizzt321 · May 17, 2024

Yeah, someone has to pay that tech debt sometime. Which is basically the rest of us, rather than Docker.

dspariI · May 17, 2024

One point in favor of Docker is that you can get AWS hosting that's specific to Docker containers without having to manage anything other than the images. I did something involving this at an old job, and that itself seemed convenient and left all the messy bits for Amazon to deal with.

Drizzt321 · May 17, 2024

Sure, but that's just the containers, not necessarily how they're run. So podman (in theory) could still be used to develop/create those containers.

Mark086 · May 17, 2024

Rootless docker is a thing, we've been using it for a while and have reasonable success with it.

We also have podman in a different environment because Docker doesn't pass scrutiny for those servers.

Containers without orchestration aren't much fun, but it is doable.

Lt_Storm · May 17, 2024

Mark086 said:
Containers without orchestration aren't much fun, but it is doable.

This is true enough and a good reason to look into Kubernetes.

Drizzt321 · May 17, 2024

Which we are doing as a company, but not helping me to figure out how to take over this particular thing right now

Mark086 · May 17, 2024

Lt_Storm said:
This is true enough and a good reason to look into Kubernetes.

I can't get into it, but... I fucking wish.

Maybe in 2030

Lt_Storm · May 17, 2024

Drizzt321 said:
Which we are doing as a company, but not helping me to figure out how to take over this particular thing right now

they are compatible projects. Dockerizing your product is useful for getting it running on Kubernetes. Though, just Dockerizing it leaves the question of hardware allocation and deployment up in the air, whereas Kubernetes solves that bit nicely.

kperrier · May 20, 2024

Drizzt321 said:
I can't understand why, as the threats have evolved, the last decade they've still kept the same model and not aimed to migrate to something less dangerous sigh

Because to do so would require them to admit that Red Hat was right!

Docker is one giant thing that does everything. Podman, buildah, and skoepo are three different tools that combined do all the things that Docker does. Having them separated allows either tool to move at their own pace without breaking the other pieces.

I would assume that podman would do everything that you want to do with the Docker run time. I assume you are using Docker CE and not Docker EE and don't really care about support from a company?

Drizzt321 · May 20, 2024

Most likely CE, no specific support plan AFAIK.

Docker daemon runs as root?!

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Smack-Fu Master, in training

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Praefectus

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis