Add unix socket for daemon access for privileged containers

[crosbymichael]

This adds a separate socket for providing introspection to containers.
It is automatically added to all privileged containers as well as the
current copy of the docker client binary for use with the socket.

The socket will be placed in /run/docker.sock. All linux
systems/images should have a symlink from /var/run to /run.

The introspection socket does not include the swarm/1.12 endpoints as
these require advanced authentication for use. The consumers will get a
404 if they try to access a swarm endpoint.

Signed-off-by: Michael Crosby crosbymichael@gmail.com

[icecrime]

I like it 👍 cc @justincormack

[aluzzardi]

Overall LGTM

Wondering if this should be --privileged or another flag. Although I guess they're interchangeable: if you have access to docker you can easily become privileged, and if you're privileged you can get access to the docker socket anyway.

/cc @diogomonica

[crosbymichael]

@aluzzardi ya, it should be another flag as well, waiting for @justincormack to remind me of the good flag name that he thought of, but for testing right now we can add this with privileged containers as it fits the number 1 use case.

[thaJeztah]

earlier discussion #9135 and #9135 (comment) 😇

[diogomonica]

@crosbymichael what changed? :)

[tonistiigi]

Why mount the binary? This is very unlikely to work inside a container with dynamic binaries. Doesn't even work with debian.

[justincormack]

Yes, mounting the binary will not work in general, should not do this (the user can bind mount if they think it will).

[crosbymichael]

isn't it static?

[thaJeztah]

Overall, I'm a bit confused; is this PR for introspection or for controlling docker? For introspection, I'd expect a container to be able to obtain information about itself (published ports on the host, labels, ...?)

For controlling docker, this makes sense, but various discussions in the past lead to a conclusion that we should not do this without fine-grained control over what access the container gets. For example, there's many use-cases of containers that only need access to docker events, without the need to be able to control docker. Currently those bind-mount the docker socket (which is obviously insecure), some things from the top of my head;

• being able to listen to a (filtered) set of docker events (specific type of events, or only events for specific containers / services), and (related) being able to inspect the source of that event
• getting access to docker stats (filtered?)

If we decide on providing full access by default, changing that to a limited set may be complicated in future. I'd far more like a limited introspection API to start with, and opening up more features when needed.

I really don't like connecting this to --privileged, I think --privileged in general was a bad decision (I think @jpetazzo even mentioned he wanted to call it --insecure at first); we discourage people to use --privileged because it's adding way too much privileges; adding more features to it only seems to encourage people to use it (because it's convenient).

Just my 0.02c.

TL;DR; I really like having an introspection API as a feature, but in this form, I don't see it as an improvement over what we currently have

[cpuguy83]

Won't this break anyone starting docker daemon in a container?

[crosbymichael]

@justincormack what was the flag name that you were thinking about for this feature ?

[justincormack]

@crosbymichael I forget, its annoying me...

The janky failure looks real, read only rootfs.

@cpuguy83 comment is an issue I think - either we should put the introspection socket on a different path (ugh) or make it optional.

[crosbymichael]

when we figureout a good flag name i'll just remove this from --privileged

[cpuguy83]

For the flag name, given it's just a socket to the daemon and not specifically introspection per se, why not call it as such?
Something like --daemon-socket /path/to/socket (or something along those lines).

[tonistiigi]

I'd prefer a flag that lets us extend this feature in the future:

--cap-add DOCKER_PRIVILEGED_DAEMON
--docker-cap-add PRIVILEGED_DAEMON
--security-opt docker=privileged-daemon

[crosbymichael]

@ibuildthecloud have you seen this? Do you have any comments/concerns?

[crosbymichael]

Lets close this until we have a better idea on what people expect and want