I imagine you can use Podman instead
Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 2 days ago
Docker is a security risk. Is it possible to install securely?
yessikg@fedia.io 2 days ago
quick_snail@feddit.nl 2 days ago
I think that has the same problems, no? Or does podman do signature verification on all the layers it downloads from the container repo?
yessikg@fedia.io 1 day ago
Podman runs rootless by default
quick_snail@feddit.nl 1 day ago
You didnt read what I wrote. The security problem is how it downloads layers. It doesn’t verify them.
partofthevoice@lemmy.zip 2 days ago
Docker is a security risk? … excuse me, what? Can’t you just, idunno, secure the environment that docker runs in? Use rootless images? Use immutable images?
And, are you asking for something that runs on bare metal? Couldn’t you just install the ISO that the dockerfile uses, then convert the dockerfile logic to an sh script?
quick_snail@feddit.nl 2 days ago
Doker pull is insecure
It’s the download that’s not verified
partofthevoice@lemmy.zip 2 days ago
You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.
quick_snail@feddit.nl 2 days ago
Yeah, that’s the insecurity I’m talking about.
If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet ?DCT)
Appoxo@lemmy.dbzer0.com 2 days ago
Download the image manually with something like curl???
quick_snail@feddit.nl 2 days ago
Hahahahahaha good luck.
LordKitsuna@lemmy.world 2 days ago
In its default state i think thats fair. Example docker bypasses most firewalls as it runs before iptables rules process. So if you don’t either use 127.0.0.1:port:port (many compose files offered by projects do not do this) or add specialized iptables rules to fix that up you can end up directly exposing services with meaning to or even realizing.
And yeah privilege escalation etc. There are solutions like what you mentioned but it can be a lot of work to set all that up so most people won’t