Docker Community Forums

Share and learn in the Docker community.

The practice of mounting a hosts / into a container

The principle of least privilege advises to only provide access to what is necessary. So where is the advise to be found on mounting a hosts full root / file system into a container? If a docker socket file is mounted into a container it can lead to severe security weaknesses, so mounting a hosts root / has the same result. What are your thoughts on this practice?

The docker engine always runs as root (except of course if you use rootless-docker instead). Whoever is allowed to access the docker.sock is able to create root containers that can potentialy mount the rootfs into the container and used to alter system configuration…

This does not work for systems that enforce SELinux or run the docker engine in userns-remap mode.
In both cases beeing root inside the container is worth nothing in the outside world (=the host).

If you don’t want to use SELinux or use userns-remap, you could leverage Open Policy Agent | Docker to lock down the authorization of what conditions are allowed or denied on you docker engine.

Never the less, it would be helpfull if you elaborate on what you exactly are looking for.

As my first thought is: why would I grant users access to the docker.sock I don’t trust and why would I add the rootfs into a container?

My question is, what are the risks of mounting a hosts full / filesystem inside a container?