How to run cadvisor securely?

[hasufell]

I tried cadvisor and the README suggests to do:

  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:rw \
  --volume=/sys:/sys:ro \
  --volume=/var/lib/docker/:/var/lib/docker:ro \

which, from a security standpoint, is a really strong no-go. /var/run is mounted writable... there will be more on the host system that is writing to that directory including crucial system services. Then the whole root file system is mounted in read-only. That exposes all data of the host.

Is there no way to run cadvisor in a more restricted way?

[vishh]

/var/run is needed to access the docker socket. cAdvisor needs read-only
access to docker API. Maybe mount just that in.

On Wed, Jan 20, 2016 at 7:04 AM, Julian Ospald [email protected]
wrote:

I tried cadvisor and the README suggests to do:

--volume=/:/rootfs:ro
--volume=/var/run:/var/run:rw
--volume=/sys:/sys:ro
--volume=/var/lib/docker/:/var/lib/docker:ro \

which, from a security standpoint, is a really strong no-go. /var/run is
mounted writable... there will be more on the host system that is writing
to that directory including crucial system services. Then the whole root
file system is mounted in read-only. That exposes all data of the host.

Is there no way to run cadvisor in a more restricted way?

—
Reply to this email directly or view it on GitHub
#1069.