I have the following Container Setup.
On a bare metal server there are two Docker Daemons installed and running.
- Main Docker Daemon Runs my application containers exposing 80/443 to the outside world.
- Plugin Docker Daemon Runs some containers provided by the customer that communicate with my application via 80/443.
I would like give the customer access the API (2376) of the Plugin Docker Daemon so that the customer can deploy/start/stop his own containers. The customer will only have access to the API not to the Host (SSH).
The problem currently have is, if the customers runs a container that does something stupid like
docker run -v /:/host/root ubuntu rm -rf /host/root.
My question is what can I do to prevent the Plugin Docker Daemon from mounting root
/ or any other directory outside
- Is it an option to start the Docker Daemon in
- Can I use some LSM (Linux Security Modules SELinux/Apparmor) magic to prevent the docker daemon to mount some or all host paths except users home or var/docker/libs?
--userns-remaphelp me achieving my goal?
- Are they any other options available except VMs?
The server belongs entirely to a single customer. So security or data leakage is not my primary concern. What I really want to prevent is that someone in Plugin Daemon is doing something stupid, that influences my containers that run in Main Docker Daemon. I would like to keep lean and stick to docker only workflow and don’t won’t to setup an extra workflow for VM creation.
This is a crosspost I have done also on serverfault