0

I am very new to docker (and don't usually program at a 'systems' level). I will be working on an open source project with complete strangers over the web over the next couple of months. I trust them, but I like to not have to trust people (meant in the best possible way).

I would like to know, if I download various repositories from github or elsewhere, and run them inside a docker container, is it possible for them to cause harm to my laptop in any way?

In case it's relevant, the repositories will mostly be web applications (think django, node), and will likely use databases (postgres etc), and otherwise operate as regular locally hosted web applications. It is possible (like anything from github or the world wide web), that some apps could contain malicious code. I am curious to know if running such an app (containing malicious code) inside a docker container prevents that code from harming anything outside of the docker container (i.e. my laptop)?

dss
  • 103
  • 2

1 Answers1

2

With Linux containers, the container shares the same kernel as the host. So any vulnerabilities in the host's kernel could be used to escape from the container as root. However, if you keep your system up to date, this is unlikely to be of concern.

The main things to be careful with Docker are:

  1. Mounting filesystems in the container: If you map something like the host /etc as writable into the container, processes running as root in the container could mess with the host system's configuration and likely execute arbitrary code as root on the host. Mounting volumes can be performed with:

    # docker run ... -v /etc:/mnt/etc ...

  2. Allowing the container to access the Docker socket: This access allows a container to create and manipulate other containers, which can be useful in some cases. However, it allows the container to take advantage of #1 by mapping your root filesystem into a container, and modifying critical system files to gain code execution as root on the host. An example of this is:

    # docker run ... -v /var/run/docker.sock:/var/run/docker.sock ...

If you are careful with the above, that eliminates a lot of risks for escape. Another solution is instead use Red Hat's Podman (no affiliation here) which is almost a 100% drop-in replacement, or another alternative. The advantage is that it does not run as root, unlike Docker, so any damage is limited to whatever user account created the container. Podman is compatible with the exact same CLI and container image repositories, and I think it even lets you still call it as docker, so there is no effort needed to switch.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Thanks very much. Since I am new, I am unlikely to notice code that does these things. Can you give some examples? Or are there some tools I can use to parse the dockerfile and tell me something's mounting filesystems or allowing access to the Docker socket? PS I have upvoted by my low reputation means it doesn't count yet – dss Aug 02 '20 at 20:48
  • @dss added the Docker commands needed to create these scenarios. – multithr3at3d Aug 03 '20 at 16:13