You are viewing a single thread.
View all comments View context
12 points

Don’t let perfection be the enemy of good. Security is not all or nothing. Reducing the attack surface is still important.

Can you elaborate on running docker daemon as rootless? It’s my understanding that you can add your account to a group to access the docker daemon rootless, but the containers are still running as root, as the daemon itself raises the access to root.

permalink
report
parent
reply
2 points

but the containers are still running as root, as the daemon itself raises the access to root.

No. The daemon can run without root, as such the containers don’t have root. My docker install doesn’t have root access. None of my stacks / containers need any root access tbh. I don’t have any troubles with deplyong stuff.

https://docs.docker.com/engine/security/rootless/

permalink
report
parent
reply
-4 points

Not sure relying on podman alone as a security tool might be advisable. Podman is a container technology first, security is not the main goal.

Read more about rootless docker here.

permalink
report
parent
reply
7 points

I never said I was relying on it alone. Not sure why you think that.

That’s a great link. Thank you for sharing. It’s good that docker supports this functionality now.

permalink
report
parent
reply
-5 points

I never said I was relying on it alone. Not sure why you think that.

…all my services aren’t running as root.

If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers.

This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5.1K

    Monthly active users

  • 3.6K

    Posts

  • 81K

    Comments