In its default state i think thats fair. Example docker bypasses most firewalls as it runs before iptables rules process. So if you don’t either use 127.0.0.1:port:port (many compose files offered by projects do not do this) or add specialized iptables rules to fix that up you can end up directly exposing services with meaning to or even realizing.
And yeah privilege escalation etc. There are solutions like what you mentioned but it can be a lot of work to set all that up so most people won’t
quick_snail@feddit.nl 2 days ago
Doker pull is insecure
It’s the download that’s not verified
partofthevoice@lemmy.zip 2 days ago
You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.
quick_snail@feddit.nl 2 days ago
Yeah, that’s the insecurity I’m talking about.
If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet ?DCT)
partofthevoice@lemmy.zip 2 days ago
What are you talking about, “yeah that’s the insecurity I’m talking about.”
I didn’t mention an insecurity and neither have you. Would you mind being a little more clear than “Docker pull is insecure?”
Frankly, I was expressing confidence in dockers security. It goes without saying though, any user can do insecure things like download from untrusted sources. That’s not dockers problem though, it’s the users.
Appoxo@lemmy.dbzer0.com 2 days ago
Download the image manually with something like curl???
quick_snail@feddit.nl 2 days ago
Hahahahahaha good luck.