does it safe to run docker in docker on openshift?

11/11/2018

I built docker image on server, that can run CI-CD for Jenkins. Because some builds use dockers, I installed docker inside my image, and in order to allow the inside docker to run, I had to give it --privilege.

All works good, but I would like to run the docker in docker, on Openshift(or Kubernetes). The problem is with getting the --privilege permissions.

Does running privilege container on Openshift is dangerous, and if so why and how much?

-- Yagel
docker
docker-in-docker
kubernetes
openshift

1 Answer

11/11/2018

A privileged container can reboot the host, replace the host's kernel, access arbitrary host devices (like the raw disk device), and reconfigure the host's network stack, among other things. I'd consider it extremely dangerous, and not really any safer than running a process as root on the host.

I'd suggest that using --privileged at all is probably a mistake. If you really need a process to administer the host, you should run it directly (as root) on the host and not inside an isolation layer that blocks the things it's trying to do. There are some limited escalated-privilege things that are useful, but if e.g. your container needs to mlock(2) you should --cap-add IPC_LOCK for the specific privilege you need, instead of opening up the whole world.

(My understanding is still that trying to run Docker inside Docker is generally considered a mistake and using the host's Docker daemon is preferable. Of course, this also gives unlimited control over the host...)

-- David Maze
Source: StackOverflow