Execute docker exec command from other container without using ssh or docker.sock

Question

The main problem is that i have two containers: containerA and containerB. containerB is the container of Portia, which is running and i cant stop due to external reasons. And in containerA i need to execute a docker exec of containerB.

I've readen two main solutions, the first one that i already tried and it works is using ssh to run the script in the host but i cant have a user with no password and giving a password seems to me like it's not the best way to do this. The second way is using docker.sock and a docker compose file, but many people said in comments that this is not a secure way.

Can someone explain me other way or if i am wrong and why? Thanks for your time.

Answer 1

You’ve basically highlighted the only two ways to directly run a command in another container. In particular, allowing docker exec access gives your process unlimited root-level control over the host, and any security issue in your setup opens the very real possibility of compromising the host (I have seen many SO questions with trivial shell-injection attacks on system("docker exec $COMMAND") type calls).

Best practice is to try to avoid docker exec as much as possible. It is a very helpful debugging tool, but it should not be in your core application flow at all. (It is very much the equivalent of “ssh as root to the server and...”, which is never a best practice.). If one container needs to request that another container does something, this is typically done via some sort of HTTP interface.

Answer 2

As you mentioned in your question that there are two possible ways you find to run docker commands remotely.

• Using ssh
• Using docker socket

both of which you think is not secure.

But that's not true. I'm not sure about ssh, but docker socket can be secured.

Check this out.

You have to enable tls on your docker daemon socket, to make it secured. And then you can run docker remotely in a secure manner.

Quoting the first paragraph from the link mentioned above.

By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using an HTTP socket.

If you need Docker to be reachable through the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.

In the daemon mode, it only allows connections from clients authenticated by a certificate signed by that CA. In the client mode, it only connects to servers with a certificate signed by that CA.

Hope this helps.