How can I expose the docker tcp api to the private container network?

Question

I'd like one of my containers to be able to control docker itself, the way I'm currently doing it is by simply exposing the socket internally, but I don't like this. What I'd really like to do is do it over tcp, authenticated. What I'm not sure of is how I can expose the docker tcp socket (on consistent IP or Domain) to the internal private network only.

How can I expose docker as a service to my containers?

score -1 · Answer 1 · answered Feb 09 '18 at 21:32

-1

Docker doesn't have authentication on its socket. Anyone who can access the socket can control all containers, and can effectively break out of the container and become root on the container host (if SELinux is not in use).

First, be extremely careful if you decide to do this, that you are only running trusted code.

Second, forget about TCP; just bind-mount the Docker socket to the container. This way, only that specific container can access Docker.

docker run -v /run/docker.sock:/run/docker.sock privileged_container

answered Feb 09 '18 at 21:32

Michael Hampton

244,070
43
506
972

And should I need to connect my same service to a different docker cluster? Which means local sock won't work – xenoterracide Feb 09 '18 at 23:15
That's a harder problem. In that case you should probably be running something like Kubernetes anyway. – Michael Hampton Feb 09 '18 at 23:16
Instead of swarm? – xenoterracide Feb 09 '18 at 23:36

How can I expose the docker tcp api to the private container network?

1 Answers1