Hmm it’s as though Linux is living in dark ages and having a root be a special user could result in something going wrong. Perhaps Lennart will come will return to Red Hat after his stint at Microsoft and introduce SecureTokens
Are there really good use cases for dockerd being exposed to the network?
I would assume (many/most) users who run docker directly run it without api access on the network (i.e. on a single host).
Even those that do want network deployments of docker, probably run it through something like k8s where again kubernetes is handling the networking side, and each dockerd doesn't need to expose a network accessible api).
Example: you want to set your local docker context to the production environment, so that when you type `docker system prune --volumes` you delete your production data.
The issues arise when “the network” means something different at deployment time. You might plan or expect “the network” to be shared only by local services. But then you add some management GUI that needs access to it. And then you add a sidecar to that. And before you know it, you’ve got a bunch of containers, all with their own attack surface, and all with access to the dockerd socket.
Docker desktop for Mac: dockerd runs in the VM and the client from the host system wants to connect. But of course we all hope that the network it is exposed to is still only on the Mac.
> The vulnerability was addressed with the release of Docker Engine v18.09.1, but it was not included in subsequent major versions, causing a regression.
Without further information, this sounds like code introduced in a hotfix that wasn't merged back to feature branches.
They are not using Docker for container runtime. It was deprecated in Kubernetes 1.20 and removed in 1.24 with almost everyone switching to containerd. Currently supported Kubernetes versions are 1.28/1.29/1.30. 1.27 is available as LTS from a few providers.
EDIT: Coworker mentioned there is a cri that lets you to continue to use Docker Engine in Kubernetes but I've never run across it.
erickj|1 year ago
https://developers.redhat.com/blog/2020/09/25/rootless-conta...
broknbottle|1 year ago
compsciphd|1 year ago
I would assume (many/most) users who run docker directly run it without api access on the network (i.e. on a single host).
Even those that do want network deployments of docker, probably run it through something like k8s where again kubernetes is handling the networking side, and each dockerd doesn't need to expose a network accessible api).
just wondering the use case for this.
radus|1 year ago
chatmasta|1 year ago
claytonjy|1 year ago
I don't know much about the internals there; would this bug allow me to do bad stuff on shared CI runners?
hibbelig|1 year ago
m463|1 year ago
https://vpetersson.com/2014/11/03/the-dangers-of-ufw-docker....
jroseattle|1 year ago
Without further information, this sounds like code introduced in a hotfix that wasn't merged back to feature branches.
Surely it's not that simple?
mass_and_energy|1 year ago
stackskipton|1 year ago
EDIT: Coworker mentioned there is a cri that lets you to continue to use Docker Engine in Kubernetes but I've never run across it.
Arnavion|1 year ago
unknown|1 year ago
[deleted]