From 0080368fd6178219708b82be4cad97399e0de567 Mon Sep 17 00:00:00 2001 From: Warren Young Date: Mon, 2 Jun 2025 09:07:05 -0600 Subject: [PATCH] Clarified the consequences of --network=host MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The prior version talked about potential access to DBus, but this is a bogus warning: default OS setups do not bind DBus to localhost or to an abstract Unix socket. It is possible that the original author was thinking of CVE-2020–15257, which affected containerd's abstract Unix socket; they fixed it by switching to a named socket, just as DBus always (?) has done. Signed-off-by: Warren Young Signed-off-by: Paul Holzinger --- docs/source/markdown/options/network.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/markdown/options/network.md b/docs/source/markdown/options/network.md index d97ba4218a..eb0d304f4a 100644 --- a/docs/source/markdown/options/network.md +++ b/docs/source/markdown/options/network.md @@ -27,7 +27,7 @@ Valid _mode_ values are: - **container:**_id_: Reuse another container's network stack. -- **host**: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. +- **host**: Use the host's network namespace for the container instead of creating an isolated namespace. Warning: This gives the container full access to abstract Unix domain sockets and to TCP/UDP sockets bound to localhost. Since these mechanisms are often used to prevent access to sensitive system services, isolating them from access by external entities, use of this option may be considered a security vulnerability. - **ns:**_path_: Path to a network namespace to join.