I imagine you can use Podman instead
Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 1 month ago
Docker is a security risk. Is it possible to install securely?
yessikg@fedia.io 1 month ago
quick_snail@feddit.nl 1 month ago
I think that has the same problems, no? Or does podman do signature verification on all the layers it downloads from the container repo?
yessikg@fedia.io 1 month ago
Podman runs rootless by default
quick_snail@feddit.nl 1 month ago
You didnt read what I wrote. The security problem is how it downloads layers. It doesn’t verify them.
partofthevoice@lemmy.zip 1 month ago
Docker is a security risk? … excuse me, what? Can’t you just, idunno, secure the environment that docker runs in? Use rootless images? Use immutable images?
And, are you asking for something that runs on bare metal? Couldn’t you just install the ISO that the dockerfile uses, then convert the dockerfile logic to an sh script?
quick_snail@feddit.nl 1 month ago
Doker pull is insecure
It’s the download that’s not verified
partofthevoice@lemmy.zip 1 month ago
You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.
quick_snail@feddit.nl 1 month ago
Yeah, that’s the insecurity I’m talking about.
If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet ?DCT)
Appoxo@lemmy.dbzer0.com 1 month ago
Download the image manually with something like curl???
quick_snail@feddit.nl 1 month ago
Hahahahahaha good luck.
LordKitsuna@lemmy.world 1 month ago
In its default state i think thats fair. Example docker bypasses most firewalls as it runs before iptables rules process. So if you don’t either use 127.0.0.1:port:port (many compose files offered by projects do not do this) or add specialized iptables rules to fix that up you can end up directly exposing services with meaning to or even realizing.
And yeah privilege escalation etc. There are solutions like what you mentioned but it can be a lot of work to set all that up so most people won’t