Description
Docker doesn't handle volume properly in case user use docker in a container via the host docker engine. When the inner container start another container with --volume, docker mount it from host instead of the inner container.
Steps to reproduce the issue:
- Start a docker container with the following command: docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu bash
- Install docker in the inner container.
- Ensure the inner docker see the same resources. Containers, images, networks etc. E.g.: docker ps should show only one container (if it is a newly installed engine)
- When you are in the inner container issue the following command: docker run -it -v /etc/sudoers:/what_is_in_sudoers
Describe the results you received:
In that case the newly created container will be able to read and write the host "/etc/sudoers" file that will be in "/what_is_in_sudoers" file.
Describe the results you expected:
An empty "/what_is_in_sudoers" directory should be created because the mentioned file does not exists in the inner container.
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Output of docker info:
Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 118
Server Version: 1.12.3
Storage Driver: aufs
Root Dir: /docker/aufs
Backing Filesystem: extfs
Dirs: 159
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null overlay host bridge
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-45-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 32
Total Memory: 62.81 GiB
Name: node12
ID: ZLIF:VU7U:P5VP:F5ZH:35QS:WCCT:B7AQ:4AAM:PAPD:YKVR:MUSI:7R2P
Docker Root Dir: /docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
Additional environment details (AWS, VirtualBox, physical, etc.):
I tested it in a physical machine.
I don't know if it is a valid scenario to use docker in docker but I think it is. In this way a user that doesn't have permission to modify e.g.: /etc/sudoers, /etc/passwd, /etc/ssh/ etc. will have the opportunity to do that.
If you need any additional information please ask or if you think it is invalid please close.
Description
Docker doesn't handle volume properly in case user use docker in a container via the host docker engine. When the inner container start another container with --volume, docker mount it from host instead of the inner container.
Steps to reproduce the issue:
Describe the results you received:
In that case the newly created container will be able to read and write the host "/etc/sudoers" file that will be in "/what_is_in_sudoers" file.
Describe the results you expected:
An empty "/what_is_in_sudoers" directory should be created because the mentioned file does not exists in the inner container.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version:Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Output of
docker info:Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 118
Server Version: 1.12.3
Storage Driver: aufs
Root Dir: /docker/aufs
Backing Filesystem: extfs
Dirs: 159
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null overlay host bridge
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-45-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 32
Total Memory: 62.81 GiB
Name: node12
ID: ZLIF:VU7U:P5VP:F5ZH:35QS:WCCT:B7AQ:4AAM:PAPD:YKVR:MUSI:7R2P
Docker Root Dir: /docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
Additional environment details (AWS, VirtualBox, physical, etc.):
I tested it in a physical machine.
I don't know if it is a valid scenario to use docker in docker but I think it is. In this way a user that doesn't have permission to modify e.g.: /etc/sudoers, /etc/passwd, /etc/ssh/ etc. will have the opportunity to do that.
If you need any additional information please ask or if you think it is invalid please close.