Restricting access to mounted /var/run/docker.sock

I am currently developing a webapp using docker-compose and Docker. Currently, there is a front-end Nginx reverse proxy-server in one container and a Rails app in another container.

Sometimes, the Rails app needs to make changes to the Nginx configuration files. I’ve implemented this by mounting the configuration directory as a shared volume in both containers.

  • Ports are blocked: Can't install Docker Universal Control Plane on Ubuntu
  • Docker data-only container and dealing with new releases
  • Docker open outside ports - not opening the good ones
  • Docker API : Show container logs in a webpage
  • Dockerhub Create Automated Build step stuck at Creating
  • Product Versioning Microservices
  • However, to force Nginx to reload its configuration files after the Rails app modifies it, it needs to send a HUP signal to the Nginx process. At the moment, I am implementing this by mounting the host’s /var/run/docker.sock into the Rails app container and using a gem to ask the host Docker to send the signal to the right container.

    This works fine but now I’m worried about security. If the Rails container is compromised, then the attacker will have root access to the host.

    I thought about creating another container who’s sole job is to broker access to the socket and exposing a limited API to the main Rails app. But then we run into the same problem of what happens when the broker is also compromised. Not only that but surely there’s an easier way?

    I searched for some solutions to limit which APIs can be called on /var/run/docker.sock but I wasn’t able to find any solutions.

    Does anyone have any ideas? Perhaps there is some other way I can reload the Nginx configuration files without having to go through the Docker API?

  • mounting sdb on /mnt using docker and openfoam
  • SSH Tunneling to docker container
  • Vagrant Docker Nginx Resolving slow
  • click-and-run docker image (or VM) with web interface?
  • Can't Query Pushed Images on Remote Registry
  • Docker - Volume not mounting latest files in container
  • Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.