I’ve read that standard containers are optimized for developer productivity and not security, which makes sense.

But then what would be ideal to use for security? Suppose I want to isolate environments from each other for security purposes, to run questionable programs or reduce attack surface. What are some secure solutions?

Something without the performance hit of VMs

  • dragnucs@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    It is the application Docker that is not secure. Containers are. In fact Docker runs a daemon as root to wich you communicate from a client. This is what makes it less secure; running under root power. It also has a few shortcomings of privileged containers. This can be easily solved by using podman and SELinux. If you can manage to run Docker rootless, then you are magnitudes higher in security.

    • piezoelectron@sopuli.xyz
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Do you think Podman is ready to take over Docker? My understanding is that Podman is Docker without the root requirement.

      • dragnucs@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Yes it is. I’ve been using it for more than a year now. Works reliably. Has pod support aswel.

        • piezoelectron@sopuli.xyz
          link
          fedilink
          arrow-up
          0
          ·
          1 year ago

          Great. I don’t know enough to use either but I think I’m going to try lean on podman from the get go. In any case, I know that all podman commands are exactly identical to Docker, such that you can replace, say, docker compose with podman compose and move on with ease.

          • Guilvareux@feddit.uk
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            With the specific exception of podman compose I completely agree. I haven’t tested it for a while but podman compose has had issues with compose file syntax in my experience. Especially with network configs.

            However, I have been using “docker-compose” with podman’s docker compatible socket implementation when necessary, with great success

    • boo@beehaw.org
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      There can also be old images with e.g. old openssl versions being used. Its not a concern if they are updated frequently, but still manual.

      • dragnucs@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        This is a problem of the containerized program and the image itself. This problem affect, containers, VM, and baremetal aswel.