back to article Contain yourself, Docker: Race-condition bug puts host machines at risk... sometimes, ish

A vulnerability in all versions of Docker can be potentially exploited by miscreants to escape containers' security protections, and read and write data on host machines, possibly leading to code execution. This is according to senior SUSE software engineer Aleksa Sarai, who said the flaw is a race condition bug in which a …

  1. amanfromMars 1 Silver badge

    For Exploding Containers ?

    Wow .... a Virtual Mole and Remote Access Trojan combo. Whatever can we expect next?

  2. streaky

    Oh noes!

    requires a miscreant to be active within a container when a host administrator runs docker cp to copy data in or out of the container

    Batten down the hatches!

  3. Smartypantz

    The github generation

    Docker is a gaping security hole as a concept

    Downloading and running random internet guys image in a container on your docker environment is worse than downloading and clicking random .exe files on your windows box:

    1. NO and by NO i meen absolutely NO malware detection in must cases!

    2. Everything as root, yeahh... check those container processes!

    3. Culture of trust: This is beautiful but can we be sure that the loving altruistic spirit is in ALL container images available as a one-liner from repos?

    4. majority of docker containers run on powerful server systems with high bandwidth

    If i wanted malware running anywhere, i would look at docker repos as my first choice!

    Docker is for people who havn't got the skill to setup a proper server.

    1. Anonymous Coward
      Anonymous Coward

      Re: The github generation

      You're a prat! It's only as insecure as you wish to make it.

      Do you really think that anyone who knows what they're doing with containers just pulls images willy-nilly off the Docker Hub? FFS! That's like just pulling an O/S ISO off some random torrent site, might as well take your system out in the garden and smash it up with a hammer. Build your own images from the base certified O/S images, add your own apps and scripts in the build as you put together.

      If you run Docker direct on your host O/S you are a bit of pillock too. You run Docker in a VM, a proper secured environment and never direct on the native host, then you can isolate it and lock it down. You do know that in container technology you can see every single file in the host O/S? The container is not a VM, all the files, scripts and everything used in the container is fully exposed on the host's O/S filesystem where it can be inspected and scanned before you do anything with it, if you really must use prebuilt images from Fred down-the-road.

      Sounds like you need to stop reading FUD and start learning Docker and Kubernetes properly, not just firing up a few demo images after watching some spotty 16 year old's YouTube on running Docker.

      1. Smartypantz

        Re: The github generation

        "Do you really think that anyone who knows what they're doing with containers just pulls images willy-nilly off the Docker Hub?":

        YES! And i know they do because i actually operate in the real world

        "f you run Docker direct on your host O/S you are a bit of pillock too. You run Docker in a VM"

        You sir are an idiot! Have you ever stopped to contemplate the reason of virtualization? You run Docker on "the Iron" if you want to do any kind of resource optimization that is! Off course you can run it in the public cloud like any schmuck and do your new feudal masters bidding.

        I have 20+ years of service uptime under my belt, you, sir sounds like an asshole with a few to many opinions from "social media"

        1. Cederic Silver badge

          Re: The github generation

          Actually he was entirely correct. Responsible container users secure the container environment and validate all containers prior to use.

          There are even tools and services available to support this.

    2. jtaylor

      Re: The github generation

      "Docker is a gaping security hole as a concept...Docker is for people who havn't got the skill to setup a proper server."

      Smartypantz, you're a moron.

      "1. NO and by NO i meen absolutely NO malware detection in must cases!"

      I build my own dockers. I could just ask myself if I added malware. Why the hell would I run a scan?

      "2. Everything as root, yeahh... check those container processes!"

      Those who know Docker call those "privileged containers." It's useful in some situations, not all. What the hell are you doing with Docker?

      "3. Culture of trust: This is beautiful but can we be sure that the loving altruistic spirit is in ALL container images available as a one-liner from repos?"

      Docker is a container used to run software in a controlled and often ephemeral environment. Your advice about unknown software is nice, but why? What the hell are you running in Docker?

      "4. majority of docker containers run on powerful server systems with high bandwidth If i wanted malware running anywhere, i would look at docker repos as my first choice!"

      Whatever floats your boat. If you think my private repos are the best entry point to compromise my servers, I wish you luck.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like