How can I expose the docker tcp api to the private container network?

xenoterracide asked:

I’d like one of my containers to be able to control docker itself, the way I’m currently doing it is by simply exposing the socket internally, but I don’t like this. What I’d really like to do is do it over tcp, authenticated. What I’m not sure of is how I can expose the docker tcp socket (on consistent IP or Domain) to the internal private network only.

How can I expose docker as a service to my containers?

My answer:

Docker doesn’t have authentication on its socket. Anyone who can access the socket can control all containers, and can effectively break out of the container and become root on the container host (if SELinux is not in use).

First, be extremely careful if you decide to do this, that you are only running trusted code.

Second, forget about TCP; just bind-mount the Docker socket to the container. This way, only that specific container can access Docker.

docker run -v /run/docker.sock:/run/docker.sock privileged_container

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.