Hitler uses Docker(www.youtube.com)

posted 24 days ago

db0@lemmy.dbzer0.com

programmer_humor@programming.dev

19 commentshide report

Sort:

Hot Top Controversial New Old

You are viewing a single thread.

View all comments

[ - ]

death_to_carrots@feddit.org

18 points

24 days ago

If you think docker/container are for security, you’re doing it wrong.

permalink

report

[ - ]

Fuck Yankies@lemmy.ml

2 points

24 days ago

Sure it’s for security… securing my host systems, you goomba. You devs being heve hoed out of my deployment and migration is one of the greatest releases ever, next fo busting a nut. Keep your filthy containers and VMs. Stay outta my host systems.

I’m a computer custodian and I absolutely hate the devs. They are maniacs. Harumph.

permalink

report

parent

[ - ]

adr1an@programming.devM

1 point

19 days ago

Docker is not rootless. Is only safe as long as the container (or those web devs) doesn’t use nsenter or anything similar to get root access outside of it ;)

permalink

report

parent

[ - ]

Fuck Yankies@lemmy.ml

1 point

19 days ago

Wrong again, though it is a fairly recent feature and as an answer to Podman and to meet OCI standards.

permalink

report

parent

[ - ]

adr1an@programming.devM

1 point

18 days ago

Ah, my bad “again”… should have mentioned that there’s the advance configuration option that 1% of the geeks do

permalink

report

parent

[ - ]

Fuck Yankies@lemmy.ml

1 point

18 days ago

It’s not a question of being a geek, but securing your entire supply chain. If you don’t already vet container image layers and cosigning said containers, chances are you’re already in risky rivers all the same.

In essence the rooted mode was never that big of a risk when compared to the actual runtimes. Certain attacks don’t even care about being in a user container if it deals with breaking the kernel itself, even with SELinux and AppArmor taken into account.

Rootless containers aren’t a magic bullet as a result. The only thing that you should concern yourself with is what you’re pushing to prod, how you layer your images and cosigning so that you can source… every mess… to every desk jockey junior…

You…

Do not…

Mess with my infra.

permalink

report

parent

[ - ]

adr1an@programming.devM

2 points

17 days ago

Indeed. Also, I am concerned about self-hosting enthusiasts that install docker (without the advance rootless mode) and blindly run containers. Sometimes these containers are even made by third parties, independent of the app developers. Unfortunately, the supply chain there is up for grabs…

permalink

report

parent

Show more comments