0

Does running docker "engine" require sudo'ing constantly during development? Is that what you are doing? Do you sudo -i when operating docker? Or do you set a timer on sudo? Is there a safe way to operate it more handily e.g. enabling a key/pass manager?

Background

Having followed the Docker website's nudge to install "desktop" (even the "engine" URL endpoint links to desktop, albeit also the engine), I have encountered a few situations making me consider using the engine only on my linux:

  • constantly being prompted a passphrase for desktop upon initializing a credential pass with GPG - 'fixed' with seahorse/pass.
  • requiring sudo if using engine - can be fixed with a group albeit this is risky.
  • running two docker contexts: default (engine) and desktop-linux - can be switched but still prompts sudo.
  • engine and desktop showing two different lists upon docker context ls - may be solved by creating a root user context for the same docker endpoint.

This has made me more aware of the differences, described somewhat in the docker docs and forum.

Johan
  • 399

1 Answers1

1
1. Not as with docker on the host machine as root

Docker desktop is more secure (only) because it runs in a virtual machine. This means that a compromised user with docker-desktop access can only do damage to docker containers and and your docker engine, not the whole of your host system.

So a docker daemon running as root on the host system will always have this security vulnerability. That's just the nature of it.

At least this, running as a root daemon on the host without a VirtualMachine container, this will always drop you into a root terminal:

docker run -it --rm --privileged --pid=host ubuntu:latest nsenter -at 1
2. Docker Engine (no Desktop) in a Virtual Machine

There's nothing stopping you running docker in a virtual machine yourself, although you'd need to work through the semantics of making bind mounts work.

3. Non-root Docker

Your other option is to run docker as a non-root user. This should mean that docker itself has much less access to your system but it will add limitations to what you can run inside docker. See here: https://docs.docker.com/engine/security/rootless/

  • Only the following storage drivers are supported:
    • overlay2 (only if running with kernel 5.11 or later, or Ubuntu-flavored kernel)
    • fuse-overlayfs (only if running with kernel 4.18 or later, and fuse-overlayfs is installed)
    • btrfs (only if running with kernel 4.18 or later, or ~/.local/share/docker is mounted with user_subvol_rm_allowed mount option) -vfs
  • Cgroup is supported only when running with cgroup v2 and systemd. See Limiting resources.
  • Following features are not supported:
    • AppArmor
    • Checkpoint
    • Overlay network
    • Exposing SCTP ports
  • To use the ping command, see Routing ping packets.
  • To expose privileged TCP/UDP ports (< 1024), see Exposing privileged ports.
  • IPAddress shown in docker inspect is namespaced inside RootlessKit's network namespace. This means the > - IP address is not reachable from the host without nsenter-ing into the network namespace.
  • Host network (docker run --net=host) is also namespaced inside RootlessKit.
  • NFS mounts as the docker "data-root" is not supported. This limitation is not specific to rootless mode.
4. Make a dedicated, password-protected docker user

Make a dedicated user that you access with

sudo -iu docker-admin-user
AdminBee
  • 22,803
Philip Couling
  • 18,733
  • Nice. Thanks, Philip. Also for pointing out rootless mode. May I ask also what you do yourself then - do you sudo a whole lot? Use podman instead? Run "engine" in a VM with bind mounts? etc. :-) – Johan Mar 04 '24 at 12:34
  • 1
    If I'm totally honest, I just keep myself in the docker group and live with the risk (see xkcd). A half way pont might be to make a dedicated user that you access with sudo -iu docker-admin-user. That way there's limited risk of rogue software gaining access to that user with no password of it's own, but you are not forced to keep typing sudo over and over or re-entering your password. Podman will have similar risks. – Philip Couling Mar 04 '24 at 12:44
  • 1
    Right, so at least no desktop-linux AFAICT. And your risk calculus, I take it, is that if a hacker were able to operate docker without sudo worse things would probably happen. That makes sense. – Johan Mar 04 '24 at 12:54