Droits d'accès root sur Docker
SolvedCasothIT Posted messages 6 Status Membre -
Hello,
I'm getting into Docker, and so far, I have no problem with installing/pulling containers/running them, etc. I'm having a good time.
But I've realized that to run the containers, I need to be root. I saw in the docs that it's possible to configure it to run containers as a non-root user.
In itself, I imagine that the issue (or at least the question) has been thoroughly examined by top-notch people in their fields. But I can't help but wonder if there are any risks in running containers with such high privileges.
For example, if I run a container with a web server service, it seems curious to me to run it with so many rights, knowing that there are direct interactions with my "host." (I hope I've been clear; I'm still in the discovery phase, so maybe I'm mixing up a few concepts.)
What do you think?
Thanks for your responses.
Casoth
PS: Sorry if I'm not in the right forum.
3 réponses
Hello,
Root privileges are necessary to communicate with the Docker daemon.
No distinction is made among the containers managed by this daemon based on "which user ran the command 'docker run...'". Thus, every user with access to the Docker daemon can see/manage the containers launched by other users through this daemon, which can already be a concern on a multi-user system. Furthermore, to avoid using "sudo", users can be added to the "docker" group.
It is only the daemon that runs in a privileged manner; there is always a layer of isolation that ensures that even if a container were compromised (due to a vulnerability in an application contained within that container), the hacker would not be able to reach the host system. It would require exploiting a security flaw in the underlying container technology (LXC for Linux containers, HyperV for Windows containers), which is unlikely.
However, you are right to wonder why an application like Apache, a NodeJS project, or a PHP application would need to invoke "root" somewhere when they can operate perfectly well as a regular user. That's why it's preferable to use rootless containers, if possible with Podman.
To use a privileged port <1024, simply associate the container with a non-privileged port and create a port redirection with the system's firewall (nftables); I advise against modifying the limit of privileged ports, a method often suggested as a "solution".
Thank you for your response.
I better understand the idea of the daemon, etc. But adding the Docker group to a user only allows for 'docker run' without sudo, yet it will still be managed by the daemon with elevated privileges, right?
I will look into the LXC/HyperV layers, thanks for the lead.
I will also check out this Podman and rootless containers story.
Regarding ports, taking an Apache server as an example. If I run the container in ' -p 6666:6666' mode, if I’m not mistaken, the requests will pass from the container to the host via port 6666. Through the firewall, I redirect my traffic from 6666 to 80? Thus, through my browser, if I go to http://localhost:80 I will see my web server, right? I don’t know much about nftables; I left the default settings (deny all on incoming traffic, if I remember correctly). I might need to revisit some basics.
In any case, plenty of avenues to explore and things to read and test!
Thank you again.
Indeed, the non-privileged user could, via the Docker daemon, access data that they do not normally have access to by launching a container and attaching the targeted file/folder.
Yes, the idea is to use a host port above 1024 to publish the service because you need to be an administrator to access the lower ports. Note that the internal port inside the container can be 80: you can use "-p 6666:80".
In this way, http://localhost:6666 will display your Apache page listening on port 80 in the container.
And to access http://localhost, IP packets destined for 127.0.0.1:80 will need to be redirected to 127.0.0.1:6666.
This is DNAT, which needs to be set up with your firewall (iptables, ufw, firewalld, ...). You need to be an administrator to create this redirection, but only for this action.
Alright, I haven't really thought it through, but it's a bit like the NAT table of my router (my box in this case), I understand the principle roughly, even though there are a lot of things to delve deeper into. I'll test it all out, mess up, start over, and move forward!
Thanks for your insights, there are so many resources on the internet that sometimes it's not easy to sift through them ^^
Have fun o/
Hello,
For a quick update, I had fun setting up a Web server (Apache/MariaDB) with one container per service and port redirections via Netfilter.
I made a quick CRUD to see:
- my wget requests are responding perfectly on http://127.0.0.1
- in Wireshark / the Netfilter logs, I can clearly see the packet redirection and the traffic as expected.
Thanks again for the information clearing!