docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9038 from AkihiroSuda/patch-11 

Strongly recommend TLS for API socket
This commit is contained in:
Dawn W 2019-07-23 11:18:40 -07:00 committed by GitHub
parent b6bab26a22 b690a3213d
commit e5c4444db8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
engine/security/security.md
View File

@ -78,8 +78,9 @@ started in 2006, and initially merged in kernel 2.6.24.
## Docker daemon attack surface ## Docker daemon attack surface
Running containers (and applications) with Docker implies running the Running containers (and applications) with Docker implies running the
Docker daemon. This daemon currently requires `root` privileges, and you Docker daemon. This daemon requires `root` privileges unless you opt-in
should therefore be aware of some important details. to [Rootless mode](https://github.com/docker/engine/blob/v19.03.0-rc3/docs/rootless.md)
(experimental), and you should therefore be aware of some important details.
First of all, **only trusted users should be allowed to control your First of all, **only trusted users should be allowed to control your
Docker daemon**. This is a direct consequence of some powerful Docker Docker daemon**. This is a direct consequence of some powerful Docker
@ -108,10 +109,17 @@ socket.
You can also expose the REST API over HTTP if you explicitly decide to do so. You can also expose the REST API over HTTP if you explicitly decide to do so.
However, if you do that, be aware of the above mentioned security However, if you do that, be aware of the above mentioned security
implications. Ensure that it is reachable only from a implications.
trusted network or VPN or protected with a mechanism such as `stunnel` and Note that even if you have a firewall to limit accesses to the REST API
client SSL certificates. You can also secure API endpoints with [HTTPS and endpoint from other hosts in the network, the endpoint can be still accessible
certificates](https.md). from containers, and it can easily result in the privilege escalation.
Therefore it is *mandatory* to secure API endpoints with
[HTTPS and certificates](https.md).
It is also recommended to ensure that it is reachable only from a trusted
network or VPN.
You can also use `DOCKER_HOST=ssh://USER@HOST` or `ssh -L /path/to/docker.sock:/var/run/docker.sock`
instead if you prefer SSH over TLS.
The daemon is also potentially vulnerable to other inputs, such as image The daemon is also potentially vulnerable to other inputs, such as image
loading from either disk with `docker load`, or from the network with loading from either disk with `docker load`, or from the network with