WingNews logo WingNews
top | item 47039431

(no title)

itintheory | 13 days ago

You can. I think there's a couple approaches - bind mount the docker socket, or expose it on localhost, and use host networking for the consuming container, or there exist various proxy projects for the socket. There may be other ways, curious if anyone else knows more.

discuss

order

mystifyingpoi|13 days ago

> bind mount the docker socket

Bind-mounting /var/run/docker.sock gives 100% root access to anyone that can write it. It's a complete non-starter for any serious deployment, and we should not even consider it at any time.

itintheory|12 days ago

Sure, but sometimes that's what you intend. Docker isn't always used for, nor is it particularly designed to be a security / sandboxing solution. If I'm running a tool as root that interacts with the docker daemon, I might choose to run it in a container still.

NewJazz|13 days ago

That's not even close to the same as a well thought out rbac system, sorry.

itintheory|12 days ago

> Can you control the docker swarm API from within a container that is running inside of it?

The question didn't ask about RBAC, well thought out or not.