Bug 1119278 - [RFE] /usr/bin/docker should be split into smaller binaries
Summary: [RFE] /usr/bin/docker should be split into smaller binaries
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Virtualization Bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-14 12:16 UTC by Jiri Jaburek
Modified: 2019-03-06 01:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2015-04-14 19:53:05 UTC

Attachments (Terms of Use)

Description Jiri Jaburek 2014-07-14 12:16:09 UTC
Description of problem:

The /usr/bin/docker binary currently has 15MB and runs under root. For various security and audit-ability reasons, the binary should be split into smaller, at least two, parts - a privileged part (running under root) and an unprivileged part (running under an unprivileged user).

Version-Release number of selected component (if applicable):

Comment 2 Daniel Walsh 2014-07-15 16:53:56 UTC
This would have to be totally handled upstream.

Comment 3 Jiri Jaburek 2014-07-15 17:10:24 UTC
FYI: This seems to be one of Docker's "end goals", as described in the Security section of the upstream documentation:


The end goal for Docker is therefore to implement two additional security

   - map the root user of a container to a non-root user of the Docker host,
     to mitigate the effects of a container-to-host privilege escalation;
   - allow the Docker daemon to run without root privileges, and delegate
     operations requiring those privileges to well-audited sub-processes,
     each with its own (very limited) scope: virtual network setup,
     filesystem management, etc.



Comment 4 Daniel Walsh 2014-07-15 19:44:04 UTC
The first one is about User Namespace.   The second one is potential, although I think this is very low on their priority list.

Comment 5 Daniel Walsh 2015-01-19 15:03:57 UTC
This continues to be talked about upstream, but not sure there is any action on it.

Comment 6 Daniel Walsh 2015-04-14 19:53:05 UTC
This needs to happen upstream.  We are looking at potential other tools like CoreOS and systemd-dkr.

Note You need to log in before you can comment on or make changes to this bug.