stackoom
  简体   繁体   中英

Is it safe to run docker in docker on Openshift?

 原文  2018-11-11 21:38:27       docker/ kubernetes/ openshift/ docker-in-docker

Question

I built Docker image on server that can run CI-CD for Jenkins. Because some builds use Docker, I installed Docker inside my image, and in order to allow the inside Docker to run, I had to give it --privilege .

All works good, but I would like to run the docker in docker, on Openshift (or Kubernetes). The problem is with getting the --privilege permissions.

Is running privilege container on Openshift is dangerous, and if so why and how much?

2 answers

solution1
 1  2018-11-11 21:58:37

A privileged container can reboot the host, replace the host's kernel, access arbitrary host devices (like the raw disk device), and reconfigure the host's network stack, among other things . I'd consider it extremely dangerous, and not really any safer than running a process as root on the host.

I'd suggest that using --privileged at all is probably a mistake. If you really need a process to administer the host, you should run it directly (as root) on the host and not inside an isolation layer that blocks the things it's trying to do. There are some limited escalated-privilege things that are useful, but if eg your container needs to mlock (2) you should --cap-add IPC_LOCK for the specific privilege you need, instead of opening up the whole world.

(My understanding is still that trying to run Docker inside Docker is generally considered a mistake and using the host's Docker daemon is preferable. Of course, this also gives unlimited control over the host...)

solution2
 0  2021-03-25 20:20:53

In short, the answer is no, it's not safe. Docker-in-Docker in particular is far from safe due to potential memory and file system corruption, and even mounting the host's docker socket is unsafe in effectively any environment as it effectively gives the build pipeline root privileges. This is why tools like Buildah and Kaniko were made, as well as build images like S2I.

Buildah in particular is Red Hat's own tool for building inside containers but as of now I believe they still can't run completely privilege-less.

Additionally, on Openshift 4, you cannot run Docker-in-Docker at all since the runtime was changed to CRI-O.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Run docker-in-docker on Openshift? How to run docker-in-docker through Jenkins pipeline on Openshift platform? Openshift - can I run docker client commands (like docker push) using Openshift? Is it safe to run docker container in production as root? Docker application Portability in Openshift OpenShift Docker login issue Docker integration in OpenShift Openshift will have docker UCP ? Allow Docker strategy in Openshift 3 How to provide parameter to docker run with “oc new-app” in OpenShift?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM