Restricting access to mounted /var/run/docker.sock

I am currently developing a webapp using docker-compose and Docker. Currently, there is a front-end Nginx reverse proxy-server in one container and a Rails app in another container.

Sometimes, the Rails app needs to make changes to the Nginx configuration files. I’ve implemented this by mounting the configuration directory as a shared volume in both containers.

  • What is the difference between a Vagrant Provider and a Vagrant Provisioner?
  • Docker container UUID
  • Celery: worker receives first task after `broker_heartbeat` seconds
  • How to check if a Docker image with a specific tag exist locally?
  • Will single docker container scale automatically on Amazon's EC2?
  • cannot connect to docker on RemoteServer using Ansible
  • However, to force Nginx to reload its configuration files after the Rails app modifies it, it needs to send a HUP signal to the Nginx process. At the moment, I am implementing this by mounting the host’s /var/run/docker.sock into the Rails app container and using a gem to ask the host Docker to send the signal to the right container.

    This works fine but now I’m worried about security. If the Rails container is compromised, then the attacker will have root access to the host.

    I thought about creating another container who’s sole job is to broker access to the socket and exposing a limited API to the main Rails app. But then we run into the same problem of what happens when the broker is also compromised. Not only that but surely there’s an easier way?

    I searched for some solutions to limit which APIs can be called on /var/run/docker.sock but I wasn’t able to find any solutions.

    Does anyone have any ideas? Perhaps there is some other way I can reload the Nginx configuration files without having to go through the Docker API?

  • when protractor running in docker and chrome browser is in headless mode then getting “element not visible”
  • managing multiple swarm clusters
  • Docker push: Image depends on an unauthorized parent
  • Is it possible to access a hardware device with a docker image under Windows?
  • Docker Ip Failover
  • Start tor and polipo when I launch my container
  • Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.