reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[HIGH] Docker socket mounted into Forgejo Runner and Wings containers #14

New issue
Open
opened 2026-05-05 15:43:32 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 15:43:32 -05:00
Owner
Copy link

Labels: area:security, area:containers, priority:high, type:bug

Description

Two containers mount the Docker socket directly:

  1. Forgejo Runner on apps2: /var/run/docker.sock:/var/run/docker.sock
  2. Pelican Wings on gs1: /var/run/docker.sock:/var/run/docker.sock

Combined with the runner's --privileged flag (separate CRITICAL issue), this grants full host Docker control.

Impact

Container escape to host. Any code running in these containers can create/stop/delete any container, read container environment variables (including secrets), and mount host filesystem volumes.

Recommended Fix

  1. Wings: This is architecturally necessary for game server management. Use a Docker socket proxy (Tecnativa/docker-socket-proxy) to restrict API access to only what Wings needs (containers: list/create/stop, volumes: list/create)
  2. Forgejo Runner: Replace socket mounting with Docker-in-Docker (dind) for proper isolation
**Labels:** `area:security`, `area:containers`, `priority:high`, `type:bug` ## Description Two containers mount the Docker socket directly: 1. **Forgejo Runner** on apps2: `/var/run/docker.sock:/var/run/docker.sock` 2. **Pelican Wings** on gs1: `/var/run/docker.sock:/var/run/docker.sock` Combined with the runner's `--privileged` flag (separate CRITICAL issue), this grants full host Docker control. ## Impact Container escape to host. Any code running in these containers can create/stop/delete any container, read container environment variables (including secrets), and mount host filesystem volumes. ## Recommended Fix 1. **Wings**: This is architecturally necessary for game server management. Use a Docker socket proxy (Tecnativa/docker-socket-proxy) to restrict API access to only what Wings needs (containers: list/create/stop, volumes: list/create) 2. **Forgejo Runner**: Replace socket mounting with Docker-in-Docker (dind) for proper isolation
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#14
No description provided.