Docker integration: Exposing Docker socket to Traefik container is a serious security risk

[codethief]

Do you want to request a feature or report a bug?

Bug

What did you do?

I followed the official instructions to get Traefik running with Docker (and Let's Encrypt).

What did you expect to see?

I would have expected that the part of Traefik which communicates with the Docker daemon and updates Traefik's configuration accordingly when containers are started/stopped would happen in a different container, separate from the Traefik container as the latter is typically exposed to the internet.

What did you see instead?

The official docs instructed me to expose the Docker socket to the Traefik container itself. This is widely recognized to be a serious security issue, see 1, 2, 3, 4 and 5, as it basically means that anyone who manages to compromise Traefik obtains root on the host machine. Note that this is even worse than running a regular (non-Docker-integrated) reverse proxy outside any container directly on the host machine as such a proxy usually doesn't run as root.

Unfortunately, I couldn't find any other way in the docs to get Traefik set up with Docker.

Suggested solution

Move the part of Traefik that regularly pulls the container list from the Docker daemon and updates the Traefik configuration into a separate binary so that it can be run in a separate container, similar to what the nginx-proxy project suggests (see section "separate containers"). This seems to be the only solution that fully isolates the docker.sock-accessing part of the application from network requests. Compared to this, other solutions like using an authz plugin could, in theory, still be compromised.

PS: I am aware that some might consider my report a feature request, not a bug, as the current behavior & instructions seem to be the officially accepted way to integrate Traefik with Docker. However, I still think that any security issue – whether widely accepted or not – should 1) be considered a bug and 2) be at least mentioned in the official documentation.

[3b0b]

I absolutely agree that this should be addressed more thoroughly. I just wanted to share here, for anyone who comes across it, what I'm currently using as something of a workaround. I'm running a minimally adapted version of https://github.com/Tecnativa/docker-socket-proxy as a standalone container on each swarm manager, connected to a docker network specific to the purpose, connecting the traefik service to that network as well, and pointing Traefik to the proxied port.
In this way I don't change the behavior on the host, I don't expose the socket over TCP except inside that one docker network, and I don't have to deal with configuring an authz plugin, but I allow the Traefik container to access only the endpoints it needs with only GET requests, and in addition to breaking out inside the Traefik container an attacker would also have to break either out of the container to the host without direct access to the socket, or across to the haproxy container.

Why a standalone container? ...because I have namespace mapping enabled and selinux enforcing, and I needed --userns=host for the proxy to access the socket. I'm not sure that's the only alternative, but it's the one I found. I'd like to revisit this and figure out a way I could do it with a manager-node-restricted service instead, but right now I don't have time to figure out if that's possible.

Why a slight modification instead of just using the approach as supplied by Tecnativa (or copying the config and using haproxy directly)? ...because I wanted to install socat in the image and modify the haproxy docker entrypoint to use socat to redirect the container's /dev/log socket to STDOUT. (Edit: I did not originally mention that this is because haproxy doesn't follow the general Docker practice of logging to STDOUT unless instructed otherwise.)

I'm sure this could be done with quite a few other approaches. In fact, at one point I was trying to figure out if I could accomplish this using nothing but socat and sed, but if that would have been possible at all, it was beyond my level of regex-fu.

[emilevauge]

@codethief Thanks for reporting this.
I fully agree with you on the fact there is a lack in our doc on this topic.
Sometimes things seem obvious to few of us, but this is because we are dealing with this everyday. Which is not the case of all our users, so you are right, we should do something.
This lack of granularity of the Docker API is a pain, really :'(

• We will update the documentation to warn our users with this, and add possible workarounds
• We are working on a far better solution for production deployments that should be out soon ;)