Docker group membership is more dangerous than sudo

The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. Access to Docker commands effectively grants full root power.

Also, Docker doesn't have any equivalent to sudo's password check, which means that a successful arbitrary-code-execution exploit against a user who is in the docker group effectively grants the attacker root. Thus, the safer choice is to never add a user account — even your own — to the docker group, so that Docker commands can only be used via sudo.

Docker is a solution for the management of lightweight process containers.

Docker can be installed from buster (or newer) repositories (see the docker.io package). Docker upstream also provides packages (for multiple different debian version): https://docs.docker.com/install/linux/docker-ce/debian/

Debian images are available in the docker.io official repository, but you may as well create some yourself (see more details on both options below). In Docker terminology, an image is an object that you can download, and reuse to instantiate new containers.

Ready-made images from docker.io's official Debian repository

Debian images provided in docker.io's official repositories (their "official images") are listed on their official debian images repository. The way these images are generated is now documented quite well in the image description (see below for pointers on re-creating images).

All that it takes to construct a container based on this image, is to use a declaration like the following in a Dockerfile :

FROM debian:sid

However you may not trust their maintainer on having done the right thing for you. See for instance https://joeyh.name/blog/entry/docker_run_debian/

Manual base image creation

See Cloud/CreateDockerImage for a detailed procedure (similar to the one used for the ready-made images), using the classical debootstrap Debian tool.

Of course, you'll then need to name that image in your preferred way, to reuse it in later Dockerfiles, for instance with :

FROM YOURUSER/minbase:sid

Running services inside Docker containers

See https://www.debian-administration.org/article/698/Automating_the_creation_of_docker_images for a description of how to automate image creation for services running Debian, which describes a way to ensure services will be started properly by runit inside the containers.

You may also be interested in the Debian adaptation of baseimage-docker made by obergix, which also uses runit to control services run inside a container.

John Goerzen has a set of Debian images which feature a full standard init system, cron, SMTP server, etc. in about 11MB of RAM. These are available for jessie, stretch, buster and sid, and are further discussed in a blog post.

See Also


CategoryVirtualization | CategorySoftware | CategorySystemAdministration