Cadvisor: CAdvisor Security advise

cAdvisor needs access to those filesystems in order to monitor other containers on the node. There are many users who run cAdvisor in production. We do our best to apply security patches to our software. You should always perform a security review of open-source software you use. Using this safely depends on your security boundaries, and your threat models, and is far more complicated than can be covered in this issue.

Are you sure it doesn't just need ro to /var/lib/docker/containers, like other monitoring solutions use? Bind mounting all of the host's rootfs seems incredibly excessive and unnecessary. I'd also seriously question the need for rw to /var/run. I assume this is so it can use the docker socket.. does it really need to write to it though? I really think you should change the documentation to have more sanely scoped access to host resources. Specially if you want people to believe you've given security any kind of consideration with this project.

@anomaly256
You are correct that we don't need write access to the docker socket (turns out you only need read access to write to a socket). Ill update the documentation to reflect that. However, having read access to the docker socket is the equivalent to root on the host (as you can create a container with arbitrary privileges), so there isn't a security boundary to be enforced by carefully scoped mounts.

Unless someone uses a docker auth plug-in to mitigate that. I really don’t
think one security issue’s presence justifies adding a second equally large
one

On Wed, 22 Aug 2018 at 2:56 am, David Ashpole notifications@github.com
wrote:

@anomaly256 https://github.com/anomaly256
You are correct that we don't need write access to the docker socket
(turns out you only need read access to write to a socket). Ill update the
documentation to reflect that. However, having read access to the docker
socket is the equivalent to root on the host (as you can create a container
with arbitrary privileges), so there isn't a security boundary to be
enforced by carefully scoped mounts.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/google/cadvisor/issues/1955#issuecomment-414745664,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAZv3hZVUlHKJ16UeCRTRdSGs9tkjKXpks5uTDu-gaJpZM4UfZdb
.

sigh.

I have very very serious concerns about giving such access for two reasons:

1. large US company (take your pick). Is there any closed source packages used?
2. large US company involved.

Now that /var/run mentioned by OP is 'fixed' in docs... why bother mounting root /? Or if for what ever reason root is required to be mounted, then why bother to mount the others in 1:1 mapping?

... to explain further, just in case. With setup proposed (and also proposed elsewhere on net: https://prometheus.io/docs/guides/cadvisor/) we will have the following mounts:

 + host
    - guest
+---------------+
 + /
   - /rootfs
 + /var/run
   - /rootfs/var/run
   - /var/run
 + /sys
   - /rootfs/sys
   - /sys
 + /var/lib/docker
   - /rootfs/var/lib/docker
   - /var/lib/docker

This architecture appears so bad that I think it needs to be brought up. It sends alarm bells.

still commenting here, as not sure if new issue needed yet. Apparently metricbeats plugin for elasticsearch requires root to be mounted also:
https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html