Assuming:
- A 3rd party provides a
Dockerfile
that I do not review - I build the Docker image (
docker build
or similar) on my infrastructure - the build has a time limit (e.g. max 5 minutes)
Is this insecure for my infrastructure/machine?
If so, why?
For more context, this is like a CI system where I build customer’s Docker images on my infrastructure.
2
Answers
Generally speaking and without knowing the tool you’re going to use, if you do not review the Dockerfile, it may be insecure.
But…
You can adopt a widely popular software and tools that, even if you do not check their internals, they are widely spread and use in several contexts and are known to be secure
You can easilly review many Dockerfile available online, e.g. from Docker Hub, because they indicates:
So, even if you don not write the Docekrfile, you can see the details of the Docker image and
You are giving arbitrary code access to write to disk, use memory, use up to 5 minutes of CPU time, access the network, and access the same kernel running everything else on the host. There are various attacks I could think of: