Containers should not mount the Docker socket docker.sock inside them
Set up the docker integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
The Docker socket docker.sock should not be mounted inside a container.
Rationale
If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.
Audit
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock
This returns any instances where docker.sock
has been mapped to a container as a volume.
You should ensure that no containers mount docker.sock as a volume.
Impact
None
Default value
By default, docker.sock is not mounted inside containers.
References
- https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
- https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2
- https://github.com/docker/docker/issues/21109
CIS controls
Version 6
9 Limitation and Control of Network Ports, Protocols, and Services