10

In figuring out how to manage python environments for projects, I am considering using Docker containers. I became aware the Debian wiki warns, like other online sources, about the risk of Docker groups. But I am less certain:

Does the mere possibility to create Docker groups, having installed Docker, per se pose risks?

In other words, if I do not create a group, or add myself to one (note: I am the only user), is there a risk of having Docker installed and use it for managing environments as suggested by the their blog?

But having several projects in progress in the same environment becomes quickly a problem as we may get into configuration or dependency conflicts. Moreover, when sharing a project with teammates we would need to also coordinate our environments. For this we have to define our project environment in such a way that makes it easily shareable.

A good way to do this is to create isolated development environments for each project. This can be easily done by using containers and Docker Compose to manage them.

edit: oops, I just found out I may have duplicated Is having docker installed a massive security hole?

Johan
  • 399
  • 2
    It should be pointed out that for a single-user system such as what you described, your concerns kind of miss the point - it doesn't really matter whether you, personally, start a container via sudo or via adding your own user account to the docker group. If you start a malicious or compromised container/image, then that is bad no matter how it's started. The concern about sudo vs docker group is more about which users are allowed to start containers, and if there is just one user, it makes no real difference which path is chosen. – Torque Apr 21 '23 at 11:51
  • @Torque ok, how does that proposition go with StephenKitt’s answer? You may want to comment there instead. His answer then depends on the number of users as far as I understand your comment. – Johan Apr 22 '23 at 05:49
  • His point is basically the same as mine - the risk doesn't come from whether you use sudo or a docker group, but from who has access to it. He focuses on another aspect, which is why I commented here – Torque Apr 24 '23 at 15:33

2 Answers2

17

The risk is attached to having users in the group, because such users provide an easy path to root with no further access control. There are other such groups on Debian systems e.g. disks, so installing Docker and having the docker group created doesn’t increase the risk in and of itself. If you don’t add users to such groups, you’re OK, since adding users to a group is a privileged operation anyway (so if an attacker can do that, you’ve lost already).

There is also some amount of risk attached to having a privileged daemon running. There are other solutions you could look into that don’t involve having a privileged Docker daemon running at all; for example Podman, or since you’re looking into this specifically for Python projects, Python virtual environments.

Johan
  • 399
Stephen Kitt
  • 434,908
  • Thanks for bringing python virtual environments to my attention and to this question. I have thought about raising a question concerning trade-offs for these solutions. I looked into Docker because I have got it recommended elsewhere. But I also have not decided, because of my uncertainty, whether to actually go with Docker containers. However, @BlockchainOffice ‘s answer/post does seems to speak to the utility of Dockers for this purpose. It is nice to know that security aspects may be a reason, albeit weighty, for using virtual environments instead. – Johan Apr 20 '23 at 11:44
  • 3
    Note that you don’t have to use a privileged Docker daemon to use containers; Podman doesn’t use a daemon. – Stephen Kitt Apr 20 '23 at 11:56
  • 1
    It's also possible to run docker as a nonprivileged user. – Shadur-don't-feed-the-AI Apr 21 '23 at 07:10
0

Container systems/services like Docker or LXD/LXC or with cloud services like Amazon Elastic Container Service (EC2), Amazon Elastic Container Service for Kubernetes, Microsoft Azure Kubernetes Service and Google Kubernetes Engine (GKE), are in my opinion, the best solution for software development in general, because you can divide all parts into microservices, test, use and share them separately and a use of a clever strategy to get away from monolithic systems.

container systems are simply the best for developing software because i can quickly and easily set up and start certain development environments or systems, test and try them out, and the resources are used and managed better than with vm's or a monolithic system.

In my opinion, I should have at least 3 separate systems for software projects, such as my development environment, my test environment and my production environment, and it would be best if these were physically and logically separate(now makes no sense for very small projects to separate physically and logically at all).

nothing is safe and not only the configuration of docker plays a role here, but the configuration of the whole system itself.

How is my operating system configured, what other software is running on it, how is my network set up with my firewall, how i share and use my groups and data, etc..

You can see that you can't answer all of this with one answer and there is a lot to consider

In any case, working and familiarizing yourself with container services like docker is a gain for you

Installing Docker itself is not inherently risky, it is important to understand the potential risks associated with creating Docker groups.

Docker groups allow users to run Docker containers without root privileges, which can be convenient and can improve security.

If you not managed properly, Docker groups can also create security vulnerabilities or if a user is added to the group without proper authentication and authorization, that user may be able to run arbitrary Docker containers, potentially leading to data breaches, malware infections, and other security incidents.

Ensure that Docker groups are created and managed in a secure manner like:

  • Limiting the number of users who have access to the Docker group
  • Users who are added to the Docker group are properly authenticated and authorized
  • Monitoring Docker container activity to detect and prevent unauthorized access and malicious activity
  • Keeping Docker up to date with the latest security patches and updates
  • Unrestricted traffic
  • Some versions of Docker allow all network traffic on the same host by default
  • Vulnerable and malicious container images
  • Unrestricted access
  • Vulnerable host kernel
  • Container breakouts

Creating the docker group by itself does not imply a security risk (which is what you have been asking). But adding a user to this group may increase your attack surface (which is what you probably wanted to ask). The actual security risk depends on your threat model.

https://security.stackexchange.com/questions/178542/is-adding-docker-group-not-a-good-idea

Docker security

Z0OM
  • 3,149