Replace host Docker socket bind with rootless docker-in-docker#77
Open
YuseiIto wants to merge 1 commit into
Open
Replace host Docker socket bind with rootless docker-in-docker#77YuseiIto wants to merge 1 commit into
YuseiIto wants to merge 1 commit into
Conversation
Bind-mounting /var/run/docker.sock gave the dev container full control of the host Docker daemon, which is effectively host root (it can start a privileged container or mount the host filesystem). A container compromise therefore escalated straight to the host. Remove the host socket mount and run a rootless Docker daemon inside the container instead, so Docker stays available without the host-root path: - docker cookbook installs docker-ce-rootless-extras and the rootless prerequisites (uidmap, fuse-overlayfs, slirp4netns, dbus-user-session) on Debian/Ubuntu. - .devcontainer/start-rootless-docker.sh starts dockerd-rootless.sh on the per-user runtime socket; it no-ops when the rootless tooling is absent so it never blocks container startup. - devcontainer.json drops the socket mount, points DOCKER_HOST at the rootless socket, pins the user UID, and runs the start script via postStartCommand.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
/var/run/docker.sockを bind マウントしていた--privilegedコンテナ起動やホスト FS マウント経由で 実質ホスト root へ昇格可能な典型的エスカレーション経路。対応: rootless docker-in-docker
ホスト socket の共有をやめ、コンテナの user namespace 内で動く rootless Docker デーモンに置き換える。これでホスト root への経路を断ちつつ Docker は引き続き利用可能。
mitamae/cookbooks/docker/default.rb: Debian/Ubuntu 分岐にdocker-ce-rootless-extrasと rootless 前提パッケージ(uidmap,fuse-overlayfs,slirp4netns,dbus-user-session)を追加。.devcontainer/start-rootless-docker.sh: per-user runtime socket 上でdockerd-rootless.shを起動。rootless ツール不在時は no-op で コンテナ起動をブロックしない。.devcontainer/devcontainer.json: host socket マウントを削除し、DOCKER_HOSTを rootless socket に向け、UID を固定、postStartCommandで起動スクリプトを実行。~/.sshの readonly bind マウントはレビュー通り維持。CI への影響
test.yamlの devcontainer ジョブは prebuild イメージbamboo-latest(rootless extras 未導入)を pull するため、起動スクリプトはdockerd-rootless.sh不在を検知してスキップ → 起動は成功。本 PR が main にマージされbuild.yamlでイメージが再ビルドされると、以降の devcontainer セッションで rootless デーモンが実際に有効化される。確認
rubocop: 100 files inspected, no offensesshellcheck(新規スクリプト): passhttps://claude.ai/code/session_01AA3kErMVaeCYEX81JNdwXx
Generated by Claude Code