Reputation: 107
Docker Security issue around ENTRYPOINT
I am experimenting with Docker and understanding concepts around use of volumes. I have a tomcat app which writes files to a particular volume.
I write a Dockerfile with ENTRYPOINT of "dosomething.sh"
The issue I have with entrypoint script is ..
In the "dosomething.sh", I could potentially have a malicious code to delete all files on the volume !!!
Is there a way to guard against it, especially because, I was planning on sharing this dockerfile and script with my dev team too and the care i have to take for production role out appears scary !
One thought is not to have an "ENTRYPOINT" at all for all the containers that have volumes.
Experienced folks,please advise on how you deal with this...
Upvotes: 1
Views: 254
Answers (1)
Reputation: 1324347
If you are using data volume container to isolate your volume, such container never run: they are created only (docker create).
That means you need to mount that data volume container into other containers for them to access that volume.
That mitigates a bit the dangerous entrypoint: a simple docker run would have access to nothing, since no -v mounting volume option would have been set.
Another approach is to at least have the script declared as CMD, not ENTRYPOINT (and for the ENTRYPOINT as [ "/bin/sh", "-c" ]. That way, it is easier to docker run with an alternative command (passed as parameter, overriding CMD), instead of having to always execute the script just because it is an ENTRYPOINT.
Upvotes: 1
Related Questions
- getting permission denied in docker run
- Docker - is it safe to switch to non-root user in ENTRYPOINT?
- Integrated Security when moving from IIS to Docker on Linux
- Docker, entrypoint strange behavior
- Running docker securely
- Accessing sensitive user credentials in entrypoint.sh of docker
- Docker Container Communication
- Is it possible to forbid user running docker container to override the image's entrypoint?
- Restricting access to a Docker container
- Securing docker containers