Coder proxied access to Docker Engine docker.sock
When running Coder as a container, is it possible to redirect Docker socket access to a tcp:// connection to reduce root privilege threat exposure instead of a volume mount?
7 Replies
<#1337016848641822721>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Could you elaborate a bit? DO you mean the docker socker for the Coder container so that it can build docker based workspace?
IF yes you can remove that mount altogether and set up docker provider using tcp or ssh
See:
https://registry.terraform.io/providers/kreuzwerker/docker/latest/docs#remote-hosts
Hey Atif, I mean for running Coder server within Docker.
I see that it currently needs write access to
/var/run/docker.sock which is generally not recommended. Docker socket access can also be exposed through a TCP connection, which effectively prevents someone from issuing Docker Engine API commands directly via a socket, which can promote container breakout scenarios. For example; Traefik, Portainer and other apps that want to interact with the Docker socket can use the tcp://machine:2375 notation . I wanted to understand if it was possible use this instead of direct socket access
I think we may be talking about the very same thing but I'm just trying to piece that together in my head.
To confirm, if I'm running Coder Server inside a Docker container, the bind mount to /var/run/docker.sock is optional, and if I want to spin up Docker container based workspaces, I can instead use the Docker provisioner TF to define how to consume the Docker API with:
Yes
Thanks.
LMK if it works.