The DevOpsBeast Blog

Production engineering notes.

Field notes on Kubernetes, GPUs, Linux, and the rest of the production stack, from engineers who run real infrastructure.

Container Security··6 min read

Mounting the Docker Socket Is Root on Your Host. Here Is Why.

A CI job mounts /var/run/docker.sock so it can build images. An attacker who compromises that job uses the socket to start a privileged container that mounts the host root filesystem. No exploit required. This is one of the most common real-world container escapes, and the fix is to stop needing the socket at all.

Read post