Docker Community Forums

Share and learn in the Docker community.

Dengerous volume mounting


(Olafbar) #1

Hello,
is there a way to avoid danger situation when the user starts container with -v options ?

User from docker group can mount system folder and can change system files although he is not an administrator.

I tested this on debian

Regards , Olaf


(David Maze) #2

Not that I’ve found. In principle an access authorization plugin should be able to limit this; I’m not immediately aware of anything off-the-shelf (but also haven’t checked, say, Google recently).

Users in a docker group, and anyone else that can access the Docker socket (whether a Unix socket with open permissions or a network socket) is a de facto administrator for basically exactly the reasons you cite.

In the cloud world, the two best answers seem to be (a) give every user their own (virtual) system to work on, or (b) use a container-management system like Kubernetes or Amazon ECS that lets users run containers, but don’t allow them shell access to the host.


(Olafbar) #3

it means that it is not good idea to use docker in the classroom without the virtual machines. I hoped that I found a ‘light’ solution.
I have to learn Kubernetes.

Thank you for the answer,


(Raj Chaudhuri) #4

If your purpose is for students to learn docker by using the command line, learning kubernetes won’t help you.

Instead, take a look at http://labs.play-with-docker.com. They use Docker-in-Docker (DIND) to provide up to five containers for each student session, which in turn run docker and can create their own containers. It’s brilliant for learning and playing, especially for playing with swarm mode.

You can set up the same solution on your own docker host. Instructions are provided on the github project.


(Olafbar) #5

Great !
I have to try it out
Thank you


(Tnelis) #6

Relevant discussion from the reference documentation: