What is the Docker socket and why is exposing it dangerous?

The Docker socket (/var/run/docker.sock) is a Unix socket that the Docker CLI uses to communicate with the Docker daemon. The daemon listens on this socket for API commands. When you run docker ps, the CLI sends an HTTP request through this socket to the daemon. Mounting the Docker socket into a container (-v /var/run/docker.sock:/var/run/docker.sock) allows the container to control the Docker daemon directly — create containers, pull images, execute commands in other containers. This is used by: CI/CD tools (Jenkins, GitLab Runner doing Docker builds), monitoring tools (Portainer, cAdvisor), and Docker-in-Docker scenarios. Why it's dangerous: a container with Docker socket access has effectively root access to the HOST. The process inside the container can: create a privileged container mounting the host filesystem, escape container isolation entirely, read secrets from other containers, destroy all containers. This is a critical security boundary to understand. Safer alternatives: (1) Docker-in-Docker (dind): run a separate Docker daemon inside a privileged container — isolated but privileged container still risky; (2) BuildKit remote builder: use docker buildx with a remote build instance; (3) Kaniko: builds Docker images inside containers without Docker daemon access; (4) Podman: rootless container runtime.