Automatically add docker socket with --privileged

[cpuguy83]

Fixes #7841

[thaJeztah]

Hm. In #7841 you proposed to add a --plugin flag to add the socket, this PR will mount the socket for any container that has --privileged. I think either this PR or the proposal should be updated to mention this.

Wondering; is logical to assume that all privileged containers also want to have a socket?

(I agree that naming the flag --plugin will become confusing if Docker plugins are implemented, so some other name should be proposed)

Ps You missed a # before the issue number in your description, not sure if GitHub will automatically close the issue if it's missing?

[cpuguy83]

The thought here is that something with --privileged can access docker anyway, and a container with just a socket mounted in is not any more secure than a --privileged container (since something with access to Docker by definition has access to the entire system).

[thaJeztah]

Ok, sounds reasonable. In which case I guess an addendum / note should be added to the proposal with the design change?

[jamtur01]

Docker

[jamtur01]

Docs LGTM - minor comments. Ping @SvenDowideit @fredlf

[jessfraz]

I don't know... what if I want privileged but don't care about the docker socket...

[cpuguy83]

@jfrazelle Ignore it?
Most people who use --privileged don't need half the power that it gives, but they have it because that's the purpose of --privileged.

[jessfraz]

ya thats true seems reasonable enough to me

On Thu, Nov 13, 2014 at 12:32 PM, Brian Goff notifications@github.com
wrote:

@jfrazelle https://github.com/jfrazelle Ignore it?
Most people who use --privileged don't need half the power that it gives,
but they have it because that's the purpose of --privileged.

—
Reply to this email directly or view it on GitHub
#9135 (comment).

[cpuguy83]

Alternatively, we could add a new flag, --http-socket or something.

[fredlf]

While we're in here, missing word?
Either: "... as well as set some configuration variables in AppArmor to..."
or
"and configure AppArmor to..."

[progrium]

+1 !!

[SvenDowideit]

can you kill the unicode double quotes? :)

[SvenDowideit]

please explain to me why we would not also mount the Docker binary into this container too?

and what happens if there is a conflict - ie, does this cause dind weirdness? or worse, if i intentionally added a file by that name into my image.

(I really want this, but i want it fully - the current server's Docker binary too)

[cpuguy83]

@SvenDowideit I'm not sure how to mount in the binary... I think it's already happening at /.dockerinit, though.

If you added a file by that name to the image, it would be mounted over.
If you started a new daemon trying to use that same socket location, you'll get a "device or resource busy"
So maybe we can change the socket path to /.docker.sock or something to mitigate that.

[cpuguy83]

And doing a -v /var/run/docker.sock:/var/run/docker.sock mounts over it as well, so should be no problem there.

[progrium]

I would just install the Docker binary if you really needed it. But you don't always need it since you can use the socket from any Docker client library.

[SvenDowideit]

@progrium that argument can be made about the socket too - imo, if we're going to add the socket as a convenience, then giving the container a working client would make it futureproof - whereas relying on an installed client library means that you need different versions of the image whenever the daemon API version changes.

[tianon]

Mounting the Docker binary won't work in many, many cases, including and
especially almost all our distro-provided packages.

[jessfraz]

not to mention its a bit weird... we don't mount any other binaries..

[progrium]

As an image author, I can include the binary in the image if I need it. I cannot include the socket. The user has to mount it. That is the main point of the problem we're trying to solve. I honestly don't care if the binary is included or not. I will probably not use it.

[jessfraz]

perfectttt

[jessfraz]

can I ask why the rename?

[cpuguy83]

Just aesthetics.
To me calling "apiserver." is more revealing than "server.", but can change if you prefer.

[jessfraz]

ya i realized below server.Server is gross hehe

[jessfraz]

so this is fine :)

[cpuguy83]

awesome!

[SvenDowideit]

ok, sold - though your client may be out of date, you're right at least you can.

Docs LGTM when its updated to match the comments.

[cpuguy83]

Rebased. Docs updated.

[jamtur01]

Docs LGTM

[SvenDowideit]

Docs LGTM - @fredlf

[fredlf]

If it's "nearly" the same, we need to specify what's different.

[cpuguy83]

Hmm... This was really just a re-wording of the first part of that sentence for Sven.

Not sure what all the differences are... I could probably figure it out, but maybe in a separate pr?

[SvenDowideit]

+1 to separate PR, I'm not really sure what the differences are, but we can work with @crosbymichael to get something.

[fredlf]

Okay. But in that case we should remove the ambiguous language, as it is not confidence inducing for the user: "Docker will enable access to all devices on the and configure AppArmor to allow the container to access the host..."
Generally, terms like "mostly", "nearly", "almost", etc. are a no-no in tech writing.

[vbatts]

I don't think this is an expected behavior for --privileged. Something like this ought to stay an explicit action by the caller of docker run with -v /var/run/docker.sock:/var/run/docker.sock

If plugins are needing a communication back to the daemon, perhaps define a new means like a /dev/docker-plugin-control or such, rather than overloading a behavior that could interfere with existing expectations.

[tianon]

Heh, this will probably also cause problems with our integration tests,
which are run inside a privileged container that expects to be able to
setup dind on /var/run/docker.sock inside the container (which we can
change, but that's another hoop to jump through for this change, and we
won't be the only ones).

[cpuguy83]

For sure we can put the socket elsewhere easily enough.
I think this is not overloading so much as giving more privilege (or rather easier access to privilege), and makes the life of people making containers that depend on talking to docker (ie, event watchers, ambassadors, etc).

Keep in mind, not all daemon's have a unix sock available to mount in.

[jessfraz]

the cmd() function has been removed from the test utils so the tests will need to be updated

[cpuguy83]

Updated, also changed location of socket to /.docker.sock

[vbatts]

Are we sure we should automagically be doing this? I'm still hesitant

[crosbymichael]

I do not like this at all and it's much better to be explicit. It's not that hard at all if you have to specify --privileged to specify -v /var/run/docker.sock:/var/run/docker.sock

Lets not do this as the cons of adding this vastly outweigh the pain of adding a flag especially when you don't want extra linux CAPs, security profiles.

NOT LGTM

[jessfraz]

I agree, NOT LGTM