Restricting access to mounted /var/run/docker.sock

I am currently developing a webapp using docker-compose and Docker. Currently, there is a front-end Nginx reverse proxy-server in one container and a Rails app in another container.

Sometimes, the Rails app needs to make changes to the Nginx configuration files. I’ve implemented this by mounting the configuration directory as a shared volume in both containers.

  • How to use rabbitmqctl to connect to the rabbitmqserver in the docker container?
  • How to suppress marathon accessing logs in “docker logs”?
  • How to access lower layer files in docker?
  • HTTP 504 Gateway Time-out when serving static file with Django (Nginx + Gunicorn)
  • Unable to locate dependency 'class library project(s)'
  • X11 forwarding with PyCharm and Docker Interpreter
  • However, to force Nginx to reload its configuration files after the Rails app modifies it, it needs to send a HUP signal to the Nginx process. At the moment, I am implementing this by mounting the host’s /var/run/docker.sock into the Rails app container and using a gem to ask the host Docker to send the signal to the right container.

    This works fine but now I’m worried about security. If the Rails container is compromised, then the attacker will have root access to the host.

    I thought about creating another container who’s sole job is to broker access to the socket and exposing a limited API to the main Rails app. But then we run into the same problem of what happens when the broker is also compromised. Not only that but surely there’s an easier way?

    I searched for some solutions to limit which APIs can be called on /var/run/docker.sock but I wasn’t able to find any solutions.

    Does anyone have any ideas? Perhaps there is some other way I can reload the Nginx configuration files without having to go through the Docker API?

  • Setting AWS hazelcast cluster in WSO2 API manager cluster using docker
  • How to use docker python SDK in swarm context?
  • Docker API Security - How prevent certain functionality from client?
  • configure Angular 2 Webpack App in Docker container environment specific
  • Docker — mounting a volume not behaving like regular mount
  • Running a script from a mongodb docker-container
  • Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.