Risks of Running Docker Daemon as Root

The docker daemon does run as root, as it interfaces with the host operating system in a fairly fundamental manner, however that’s no different than most/any system daemon that makes use of linux capabilities which require that privilege.

This doesn’t mean that using docker is insecure, just that you need to be careful with how you use it. Luckily there is already some fairly good security configuration advice available on this from Docker themselves and in the form of a security configuration “best practices” guide from the Center for Internet Security

A couple of practical considerations which you do need to be aware of when running docker.

First up is that if someone is a member of the “docker” group on the host, they’re effectively root on the system as it’s possible to use docker to escalate privileges in this case. So you need to treat membership of that group on production hosts with care.

Docker uses Linux capabilities to restrict what actions a user inside a container can take, so just being root inside a container doesn’t necessarily mean automatic root on the host. That said you do need to be careful with things like volume mounts (so if you mount a system directory from the host into a container for example) as this can allow a root user inside a container to make changes to files on the host.

You can also reduce the capabilities provided to a container fairly easily, which can improve the security of the process further.

Also remember you don’t need to run processes in containers as root, you can run as other users with a bit of configuration, and this mitigates the volume mounting risk.

I find that the way to think about containers is as processes on the host. If you compare running things in containers to running them directly on the host, I’d say that the container architecture is likely to add security rather than remove it, as you’ve got a better defined interface between the process and the host and more control over what the process can do on the host.

Also it’s worth nothing that a richer user mapping architecture is coming fairly soon to docker (planned for 1.9) which will add some more options for restricting actions in a container.

Leave a Reply

Your email address will not be published. Required fields are marked *