Reputation: 864
What is the preferred, secure method of exposing docker services to a web application?
I'm just getting into Docker and it's great and everything, but one part confuses me. I'm using a docker image to encode video, and the image can be run like a command with docker run my/image -flag param1 etc. I also happen to be using Apache as my web server. Let's say I want to allow a user to upload a video, so I process the upload with PHP, and I want to use PHP to run the docker image as a command via exec. The problem is that docker can only be run as root/sudo, so by default an exec command fails because the www-data user is not root and therefore does not have privileged access to run docker commands. I could add www-data to the docker group, but I've read that is a poor choice in terms of security. What is the approach I should be taking to utilize this docker image and expose its functionality to a web application?
Upvotes: 1
Views: 119
Answers (1)
Reputation: 812
it is definitely possible but it's not recommended as Docker was not designed for that purpose. Docker is not a distributed task system so you will got a lot of problems to make sure that your task is delivered to proper worker or you will have to implement your self the mechanism to retry failed/crashed tasks. Instead, I think you can try Cadean from Uber https://github.com/uber/cadence on top of Docker (Docker is for deployment and Cadean for task distribution).
We also have a video processing system and we are using Celery (Cadean is very new at the time we started the project) for task distribution (we are using Docker for deployment too). And it is working well until now.
If you still would like to execute every Docker container per task. You can try Docker Engine API https://docs.docker.com/engine/api/ instead of using CLI interface to prevent granting execute permission to www-data. But again, you will expose all Docker capabilities to the web user as Docker has no authorization method to limit API access per user, so attackers can start a container and mount to root to modify your system files. In short, it is possible but not a good practice just because Docker is not designed to do that.
Upvotes: 1
Related Questions
- Should I use separate Docker containers for my web app?
- Running docker securely
- Architecture concern. Automated communication between secured web-services
- How should I containerize my application requiring apache/php/mysql with an authenticated and public site experience?
- Recommendation: Deploy Docker application to AWS
- Understanding Docker best practice and running webservers
- How to dockerize web application that will be customized?
- Should I include my webapp source in my docker image, or mount it when i run a container?
- Dockerized PHP Application Architecture Best Practices
- What is the best approach to configure Docker for a webapp?