Apologies in advance, still learning docker and not really sure if I should be concerned or where I should be posting this. But since it could be a security risk (openssh & docker.sock access), here I am
This image history for this container has the openssh client installed yet I cannot find any reference as to where or why in the dockerfile nor the entrypoint.sh. Nor can I think of any reason why it would be necessary. The Dockerfile is pulling From another image which I believe is local as there is no user name.
FROM docker:19.03.5
Could someone take a look? If this turns out to be nothing, call it a training experience: how / where should I have been looking to determine what the container is doing with openssh.
the history of an image shows all directives used to create all the images it is based on, starting from scratch/base, over all intermediate (base) images up to the final image, which’s dockerfile you inspected.
If you take a look at the Dockerfile of the base image “docker:19.03.5”, you will see the step /bin/sh -c apk add --no-cache ca-certificates openssh-client which installs the openssh-client package. The ca-certificates package depends on openssl and is required for incomming and outgoing (https) communication.
Though, in the Dockerfile there is no clue why the openssh-client package is installed. I didn’t look at the entrypoint sript though.
What makes the openssh-client more risky then exposing the docker.sock to the container? With the docker.sock inside the container you are already able to pull a swiss-army-knife image and bootstrap a container from it…
You have to understand under which circumstances this image can be used and when it shouldn’t.
The image at hand does nothing more than running a scheduled docker prune command… isn’t a cronjob the appropriate solution?