this post was submitted on 21 Oct 2024
62 points (89.7% liked)

Programmer Humor

19443 readers
37 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 4 days ago* (last edited 4 days ago) (4 children)

Wrong again, though it is a fairly recent feature and as an answer to Podman and to meet OCI standards.

[–] anzo 1 points 4 days ago* (last edited 4 days ago) (3 children)

Ah, my bad "again"... should have mentioned that there's the advance configuration option that 1% of the geeks do

[–] [email protected] 1 points 4 days ago (2 children)

It's not a question of being a geek, but securing your entire supply chain. If you don't already vet container image layers and cosigning said containers, chances are you're already in risky rivers all the same.

In essence the rooted mode was never that big of a risk when compared to the actual runtimes. Certain attacks don't even care about being in a user container if it deals with breaking the kernel itself, even with SELinux and AppArmor taken into account.

Rootless containers aren't a magic bullet as a result. The only thing that you should concern yourself with is what you're pushing to prod, how you layer your images and cosigning so that you can source... every mess... to every desk jockey junior...

You....

Do not...

Mess with my infra.

1000000363

[–] anzo 2 points 3 days ago (1 children)

Indeed. Also, I am concerned about self-hosting enthusiasts that install docker (without the advance rootless mode) and blindly run containers. Sometimes these containers are even made by third parties, independent of the app developers. Unfortunately, the supply chain there is up for grabs...

[–] [email protected] 1 points 3 days ago

I can recommend utilizing watchtower for image updates and ChainGuard registry for image layering if someone is using Docker. Watchtower should be fairly easy to implement, even across images, and chainguard meets with governmental and military standards. They are also quite lightweight images, since they've gone over to a new base distro that cuts down on a lot of cruft.