I imagine you can use Podman instead
Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 2 months ago
Docker is a security risk. Is it possible to install securely?
yessikg@fedia.io 2 months ago
quick_snail@feddit.nl 2 months ago
I think that has the same problems, no? Or does podman do signature verification on all the layers it downloads from the container repo?
yessikg@fedia.io 2 months ago
Podman runs rootless by default
quick_snail@feddit.nl 2 months ago
You didnt read what I wrote. The security problem is how it downloads layers. It doesn’t verify them.
partofthevoice@lemmy.zip 2 months ago
Docker is a security risk? … excuse me, what? Can’t you just, idunno, secure the environment that docker runs in? Use rootless images? Use immutable images?
And, are you asking for something that runs on bare metal? Couldn’t you just install the ISO that the dockerfile uses, then convert the dockerfile logic to an sh script?
quick_snail@feddit.nl 2 months ago
Doker pull is insecure
It’s the download that’s not verified
partofthevoice@lemmy.zip 2 months ago
You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.
quick_snail@feddit.nl 2 months ago
Yeah, that’s the insecurity I’m talking about.
If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet ?DCT)
Appoxo@lemmy.dbzer0.com 2 months ago
Download the image manually with something like curl???
quick_snail@feddit.nl 2 months ago
Hahahahahaha good luck.
LordKitsuna@lemmy.world 2 months ago
In its default state i think thats fair. Example docker bypasses most firewalls as it runs before iptables rules process. So if you don’t either use 127.0.0.1:port:port (many compose files offered by projects do not do this) or add specialized iptables rules to fix that up you can end up directly exposing services with meaning to or even realizing.
And yeah privilege escalation etc. There are solutions like what you mentioned but it can be a lot of work to set all that up so most people won’t