Secure MCP Server Deployment Using Docker Containers
Summary
A recent security review identified a critical vulnerability in an MCP (Multi-Container Platform) server deployment where mounting the /var/run/docker.sock directly into a container gave a language model-driven assistant root-equivalent access to the entire host. This setup, intended for tasks like restarting services or tailing logs, allowed the creation of privileged containers and sandbox escapes. Initial attempts to fix this with application-level allowlists were discarded as ineffective, as the over-privileged container could bypass them. The final solution involved a two-container architecture: an MCP server with no Docker socket access and a hardened sidecar exposing only three specific HTTP endpoints (restart, status, logs) for a pre-approved list of container names. The sidecar, with read-only socket access, enforces all permissions through its code, ensuring the MCP server remains isolated from direct Docker control.
Key takeaway
For AI Security Engineers or MLOps teams deploying MCP servers with infrastructure control, you must prioritize container-level isolation over prompt injection defenses. Avoid mounting "/var/run/docker.sock" directly into LLM-driven containers. Instead, implement a dedicated, minimally privileged sidecar that exposes only specific, pre-approved operations on a restricted list of containers. This approach confidently bounds the blast radius, treating the language model as an untrusted caller and mitigating evolving prompt injection risks.
Key insights
Mounting the Docker socket into an LLM-driven container grants root-equivalent host access, creating a critical security vulnerability.
Principles
- Treat language models as untrusted callers.
- Application-level restrictions are insufficient.
- Container-level isolation bounds blast radius.
Method
Implement a two-container split: an MCP server with no Docker socket access and a hardened sidecar exposing only specific, pre-approved HTTP endpoints for container management.
In practice
- Implement a dedicated sidecar for Docker API calls.
- Restrict sidecar to specific container names and operations.
- Configure MCP server with read-only filesystem and dropped capabilities.
Topics
- Docker Security
- Container Isolation
- MCP Servers
- Language Model Security
- Prompt Injection
- Sidecar Pattern
Best for: AI Security Engineer, AI Engineer, MLOps Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by HackerNoon.