Restricting access to mounted /var/run/docker.sock

I am currently developing a webapp using docker-compose and Docker. Currently, there is a front-end Nginx reverse proxy-server in one container and a Rails app in another container.

Sometimes, the Rails app needs to make changes to the Nginx configuration files. I’ve implemented this by mounting the configuration directory as a shared volume in both containers.

  • Automated Dockerfile generator
  • Passing docker container IP address to container
  • How could I enable docker remote api on mac osx
  • How to claim free space generated by deleting docker images in Mac
  • docker build of Dockerfile fails
  • Strategy to persist the node's data for dynamic Elasticsearch clusters
  • However, to force Nginx to reload its configuration files after the Rails app modifies it, it needs to send a HUP signal to the Nginx process. At the moment, I am implementing this by mounting the host’s /var/run/docker.sock into the Rails app container and using a gem to ask the host Docker to send the signal to the right container.

    This works fine but now I’m worried about security. If the Rails container is compromised, then the attacker will have root access to the host.

    I thought about creating another container who’s sole job is to broker access to the socket and exposing a limited API to the main Rails app. But then we run into the same problem of what happens when the broker is also compromised. Not only that but surely there’s an easier way?

    I searched for some solutions to limit which APIs can be called on /var/run/docker.sock but I wasn’t able to find any solutions.

    Does anyone have any ideas? Perhaps there is some other way I can reload the Nginx configuration files without having to go through the Docker API?

  • Cloudbees jenkins plugin fails to start containers
  • If I use EXPOSE $PORT in a Dockerfile, can I un-expose the port it when I use `docker run`?
  • docker swarm throws 404 page not found error while checking node details
  • Use docker to migrate a system
  • Interactive shell using Docker Compose
  • Docker expose port
  • Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.