How to disallow the Docker Daemon to mount host's root file system into the container

I have the following Container Setup.

On a bare metal server there are two Docker Daemons installed and running.

  1. Main Docker Daemon Runs my application containers exposing 80/443 to the outside world.
  2. Plugin Docker Daemon Runs some containers provided by the customer that communicate with my application via 80/443.

I would like give the customer access the API (2376) of the Plugin Docker Daemon so that the customer can deploy/start/stop his own containers. The customer will only have access to the API not to the Host (SSH).

The problem currently have is, if the customers runs a container that does something stupid like docker run -v /:/host/root ubuntu rm -rf /host/root.

My question is what can I do to prevent the Plugin Docker Daemon from mounting root / or any other directory outside /home/user/,

  • Is it an option to start the Docker Daemon in /home/user/?
  • Can I use some LSM (Linux Security Modules SELinux/Apparmor) magic to prevent the docker daemon to mount some or all host paths except users home or var/docker/libs?
  • Can --userns-remap help me achieving my goal?
  • Are they any other options available except VMs?

The server belongs entirely to a single customer. So security or data leakage is not my primary concern. What I really want to prevent is that someone in Plugin Daemon is doing something stupid, that influences my containers that run in Main Docker Daemon. I would like to keep lean and stick to docker only workflow and don’t won’t to setup an extra workflow for VM creation.


This is a crosspost I have done also on serverfault

As you’ve noted, this has massive security implications and is very hard to control.

I would suggest reading the documentation for Amazon’s EC2 Container Service. The core ECS model is that every server runs a special “agent” container that is able to receive commands about what it expects to run, and there is a separate (non-Docker) API to control this. Hashicorp’s Nomad is a conceptually similar vendor-neutral pure-userspace system.

In principle you could put some sort of enforcing proxy in front of the Docker daemon that limits what it’s possible to do via the API, but I’m not aware of any implementations of this.

If you don’t mind the user having complete unrestricted access to the VM, a VM might not be a bad way to go. (This is essentially the Docker Toolbox setup.)