Using VMs to Run Containers and Uninstalling Docker from the Main OS

July 18, 2024

I always get panicked when I visit the Gentoo page for Docker. There’s a big warning which says:

Warning Allowing a user to talk to the Docker daemon is equivalent to giving the user full root access to the host.

Essentially, any user with access to the Docker daemon has root-level access to the host system, which can pose significant security risks. A quote from an article on opensource.com elaborates:

“The biggest problem is everything in Linux is not namespaced. Currently, Docker uses five namespaces to alter processes view of the system: Process, Network, Mount, Hostname, Shared Memory.

While these give the user some level of security it is by no means comprehensive, like KVM (Kernel-based Virtual Machine). In a KVM environment, processes in a virtual machine do not talk to the host kernel directly. They do not have any access to kernel file systems like /sys and /sys/fs, /proc/*.”

I know most people (including me) download random Docker images and launch them on their host without checking the source. Many are unaware that using root privileges within a container is equivalent to giving root access to their main system.

So I started to think if I can use containers within a VM to isolate them from my main system.

To achieve this, I built a Bash script called vms to easily manage several headless VMs. I began using this tool to run Docker within a VM and eventually uninstalled Docker completely from my main system :).

Here are the steps for setting up a VM for Docker:

Step 1: Clone the Repository

First, clone the repository from GitHub and install vms:

$ git clone https://github.com/hozan23/vms 
$ cd vms
$ make PREFIX=/home/USER/.local install

Step 2: Download the Arch Linux ISO

Download the Arch Linux ISO file from archlinux.org.

Step 3: Create a New VM

Create a new VM with a specified disk size:

$ vms create docker 50G

Step 4: Start the Installation

Boot the VM with the Arch Linux ISO to start the installation:

$ vms boot docker /home/USER/download/ISO_FILE

Step 5: Configure the VM

After completing the installation, check the configuration file and modify the ports forwarding variable. For example, to forward ports for ssh, pgadmin, and postgresql, you can add:

ports=10022:22 8080:80 5432:5432

Step 6: Run the VM

Run the VM with the following command:

$ vms run docker

Step 7: Install Docker on the VM

Now, you can install Docker on the VM and run a docker compose containing postgresql and pgadmin.

Step 8: Access the VM via SSH

You can access the VM via SSH with the following command:

$ ssh USER@localhost:10022

Make sure to enable ssh daemon on the VM

By following the steps above, you can set up and manage your Docker containers within a VM.