I have an application which I'd like to give the privilege to launch short-lived tasks and schedule these as docker containers. I was thinking of doing this simply via docker run.
As I want to make the attack surface as small as possible, I treat the application as untrusted. As such it can potentially run arbitrary docker run commands (if the codebase contained bug or the container was compromised, input was improperly escaped somewhere etc.) against a predefined docker API endpoint.
This is why I'd like to restrict that application (effectively a scheduler) in some ways:
- prevent
--privilegeduse - enforce
--read-onlyflag - enforce memory & CPU limits
I looked at couple of options:
- selinux
- the selinux policies would need to be set on the host level and then propagated inside the containers via
--selinux-enabledflag on thedaemonlevel. The scheduler can however override this anyway viarun --privileged.
- the selinux policies would need to be set on the host level and then propagated inside the containers via
- seccomp profiles
- these are only applied at a time of launching the container (seccomp flags are available for
docker run)
- these are only applied at a time of launching the container (seccomp flags are available for
- AppArmor
- this can (again) be overriden on the scheduler level via
--privileged
- this can (again) be overriden on the scheduler level via
- docker daemon
--exec-optsflag- only a single option is actually available for this flag (
native.cgroupdriver)
- only a single option is actually available for this flag (
It seems that Docker is designed to trust container schedulers by default. Does anyone know if this is a design decision?
Is there any other possible solution available w/ current latest Docker version that I missed?
I also looked at Kubernetes and its Limit Ranges & Resource Quotas which can be applied to K8S namespaces, which looked interesting, assuming there's a way to enforce certain schedulers to only use certain namespaces. This would however increase the scope of this problem to operating K8S cluster.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 男人必须洒脱 的文章《Is there a way to restrict untrusted container sch》','https://www.manongdao.com/article-735235.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}