Runner mounts socket which is $bad #4
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As we now know from https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers, it is a considerable attack vector to expose the docker socket to other containers. We do this for the runner in https://git.autonomic.zone/coop-cloud/drone-docker-runner/src/commit/e54a5649237c3dfcd0ba16b580739578fc0a757e/compose.yml#L8 because this runner spawns its own containers. That actually can't be avoided I would say. Maybe we need to consider moving the runner to its own machine which is locked down away from other apps.
/cc @kawaiipunk