furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-06-14 11:25:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): mount host Docker socket only in aio (DooD) sandbox mode (#3517)

Browse Source 
* fix(security): mount host Docker socket only in aio (DooD) sandbox mode

The default Compose stack mounted /var/run/docker.sock read-write into the
root gateway container in every sandbox mode, including the default `local`
mode that never uses it -- an unnecessary host-escape surface (DooD =
root-equivalent host control). deploy.sh already gated the socket *check* on
sandbox_mode != local, but the Compose files mounted it unconditionally.

Move the socket mount to an opt-in docker/docker-compose.dood.yaml overlay
that deploy.sh / docker.sh append only when detect_sandbox_mode() returns
`aio`. Default (local) and provisioner/Kubernetes modes no longer expose the
host daemon. Tighten the socket existence check from != local to == aio.
Document the DooD threat model in SECURITY.md.

Reported by @greatmengqi.

* refactor(docker): address review on socket-hardening PR

- docker.sh: use absolute path for the dood overlay (match deploy.sh, drop cwd dependency)
- deploy.sh: drop now-dead DEER_FLOW_DOCKER_SOCKET exports in down/build paths
- docker-compose.yaml: fix stale header comment to point at the overlay

Addresses codex + reviewer feedback on #3517.

---------

Co-authored-by: Willem Jiang <willem.jiang@gmail.com>
This commit is contained in:
Xinmin Zeng
2026-06-14 11:03:50 +08:00
committed by GitHub
parent 474c89bac2
commit 5d61718c80
6 changed files with 96 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/deploy.sh
+9 -10
View File
@@ -215,7 +215,6 @@ if [ "$CMD" = "down" ]; then
export DEER_FLOW_HOME="${DEER_FLOW_HOME:-$REPO_ROOT/backend/.deer-flow}"
export DEER_FLOW_CONFIG_PATH="${DEER_FLOW_CONFIG_PATH:-$DEER_FLOW_HOME/config.yaml}"
export DEER_FLOW_EXTENSIONS_CONFIG_PATH="${DEER_FLOW_EXTENSIONS_CONFIG_PATH:-$DEER_FLOW_HOME/extensions_config.json}"
export DEER_FLOW_DOCKER_SOCKET="${DEER_FLOW_DOCKER_SOCKET:-/var/run/docker.sock}"
export DEER_FLOW_REPO_ROOT="${DEER_FLOW_REPO_ROOT:-$REPO_ROOT}"
export BETTER_AUTH_SECRET="${BETTER_AUTH_SECRET:-placeholder}"
export DEER_FLOW_INTERNAL_AUTH_TOKEN="${DEER_FLOW_INTERNAL_AUTH_TOKEN:-placeholder}"
@@ -232,11 +231,6 @@ if [ "$CMD" = "build" ]; then
echo "=========================================="
echo ""
# Docker socket is needed for compose to parse volume specs
if [ -z "$DEER_FLOW_DOCKER_SOCKET" ]; then
export DEER_FLOW_DOCKER_SOCKET="/var/run/docker.sock"
fi
"${COMPOSE_CMD[@]}" build
echo ""
@@ -270,20 +264,25 @@ if [ "$sandbox_mode" = "provisioner" ]; then
services="$services provisioner"
fi
# ── DEER_FLOW_DOCKER_SOCKET ───────────────────────────────────────────────────
# ── DEER_FLOW_DOCKER_SOCKET (aio / pure-DooD mode only) ──────────────────────
# Only aio mode (AioSandboxProvider without provisioner_url) needs the host
# Docker socket. It is mounted via the opt-in docker-compose.dood.yaml overlay,
# appended here, so the default (local) and provisioner modes never expose the
# host daemon. Mounting the socket = root-equivalent host control; see SECURITY.md.
if [ -z "$DEER_FLOW_DOCKER_SOCKET" ]; then
export DEER_FLOW_DOCKER_SOCKET="/var/run/docker.sock"
fi
if [ "$sandbox_mode" != "local" ]; then
if [ "$sandbox_mode" = "aio" ]; then
if [ ! -S "$DEER_FLOW_DOCKER_SOCKET" ]; then
echo -e "${RED}⚠ Docker socket not found at $DEER_FLOW_DOCKER_SOCKET${NC}"
echo " AioSandboxProvider (DooD) will not work."
exit 1
else
echo -e "${GREEN}✓ Docker socket: $DEER_FLOW_DOCKER_SOCKET${NC}"
fi
echo -e "${GREEN}✓ Docker socket: $DEER_FLOW_DOCKER_SOCKET${NC}"
echo -e "${YELLOW} Mounting host Docker socket into gateway (DooD = host root-equivalent). See SECURITY.md.${NC}"
COMPOSE_CMD+=(-f "$DOCKER_DIR/docker-compose.dood.yaml")
fi
echo ""
scripts/docker.sh
+14
View File
@@ -196,6 +196,20 @@ start() {
services="frontend gateway provisioner nginx"
fi
# Only aio mode (AioSandboxProvider without provisioner_url) needs the host
# Docker socket. Mount it via the opt-in docker-compose.dood.yaml overlay so
# the default (local) and provisioner modes never expose the host daemon.
# Mounting the socket = root-equivalent host control; see SECURITY.md.
if [ "$sandbox_mode" = "aio" ]; then
local docker_socket="${DEER_FLOW_DOCKER_SOCKET:-/var/run/docker.sock}"
if [ ! -S "$docker_socket" ]; then
echo -e "${YELLOW}⚠ Docker socket not found at $docker_socket — AioSandboxProvider (DooD) will not work.${NC}"
exit 1
fi
echo -e "${YELLOW}Mounting host Docker socket into gateway (DooD = host root-equivalent). See SECURITY.md.${NC}"
COMPOSE_CMD="$COMPOSE_CMD -f $DOCKER_DIR/docker-compose.dood.yaml"
fi
echo -e "${BLUE}Runtime: Gateway embedded agent runtime${NC}"
echo -e "${BLUE}Detected sandbox mode: $sandbox_mode${NC}"
if [ "$sandbox_mode" = "provisioner" ]; then