Using VMs to Run Containers and Uninstalling Docker from the Main OS

July 18, 2024

I always get panicked when I visit the Gentoo page for Docker. There’s a big warning which says:

Warning Allowing a user to talk to the Docker daemon is equivalent to giving the user full root access to the host.

This warning highlights one of the most critical security concerns when using Docker. Essentially, any user with access to the Docker daemon has root-level access to the host system, which can pose significant security risks. A quote from an article on opensource.com elaborates:

“The biggest problem is everything in Linux is not namespaced. Currently, Docker uses five namespaces to alter processes view of the system: Process, Network, Mount, Hostname, Shared Memory.

While these give the user some level of security it is by no means comprehensive, like KVM (Kernel-based Virtual Machine). In a KVM environment, processes in a virtual machine do not talk to the host kernel directly. They do not have any access to kernel file systems like /sys and /sys/fs, /proc/*.”

I know most people (including me) download random Docker images and launch them on their host without checking the source. Many are unaware that using root privileges within a container is equivalent to giving root access to their main system.

So I started to think if I can use containers within a VM to isolate them from my main system.

To achieve this, I built a Bash script called vms to easily manage several headless VMs. I began using this tool to run Docker within a VM and eventually uninstalled Docker completely from my main system :).

Here are the steps for setting up a VM for Docker:

Step 1: Clone the Repository

First, clone the repository from GitHub and install vms:

$ git clone https://github.com/hozan23/vms 
$ cd vms
$ make PREFIX=/home/USER/.local install

Step 2: Download the Arch Linux ISO

Download the Arch Linux ISO file from archlinux.org.

Step 3: Create a New VM

Create a new VM with a specified disk size:

$ vms create docker 50G

Step 4: Start the Installation

Boot the VM with the Arch Linux ISO to start the installation:

$ vms boot docker /home/USER/download/ISO_FILE

Step 5: Configure the VM

After completing the installation, check the configuration file and modify the ports forwarding variable. For example, to forward ports for ssh, pgadmin, and postgresql, you can add:

ports=10022:22 8080:80 5432:5432

Step 6: Run the VM

Run the VM with the following command:

$ vms run docker

Step 7: Install Docker on the VM

Now, you can install Docker on the VM and run a docker compose containing postgresql and pgadmin.

Step 8: Access the VM via SSH

You can access the VM via SSH with the following command:

$ ssh USER@localhost:10022

Make sure to enable ssh daemon on the VM

By following the steps above, you can set up and manage your Docker containers within a VM, providing a more secure and controlled environment.