Hello community, I've been experimenting with the Cloudbees Docker Workflow plugin, and I really like the ease of use of this DSL. Now I'd like to get security right.
Problem: the plugin assumes that the docker binary is in the path <http://documentation.cloudbees.com/docs/cje-user-guide/_limitations.html>. In my understanding this has the implication that the user that issues docker commands (e.g. jenkins) has to be in the docker group! The *docker* variable provided by the docker workflow plugin limits the security impact by explicitly setting a non-priviledged user with the "-u" option. However, at least in docker 1.9.1 I can pass a second "-u" option which overwrites the original settings: docker.image('ubuntu').inside ('-v /etc:/etc-host -u 0') { > sh ''' > whoami > # -> root > awk '{gsub(/[A-Z]/,"!"); print}' /etc-host/shadow > # -> slightly masked password hashes > ''' > } > > I could also have passed in the "--privileged" flag. For a moment I asked myself it it would be worthwhile filing an ER, as to have the plugin sanitize the "docker run" parameters. But the fundamental problem is that a Jenkins job has the right to run the docker commands. Running the following script would be even worse: node { > sh 'docker run -v /etc:/etc-host ubuntu cat /etc-host/shadow' > } > One option would be to write a shim for the docker command, that only allows a subset of commands, and sanitizes the options and parameters. My question are these: - am I missing something? - how should I configure the Jenkins CI environment (server and nodes) to use the docker command safely? Thanks in advance, Thomas -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/62e8e1dd-382e-4fb3-baff-e816099b00a5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
