Self-Hosted Main

502 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

communick@selfhosted.forum

How do you protect yourself against malicious docker containers / projects? (alien.top)

submitted 10 months ago by Simplixt@alien.top to c/main@selfhosted.forum

9 comments fedilink hide all child comments

Hi all,

as I'm running a lot of docker containers in my "self-hosted cloud", I'm also a little bit worried about getting malicious docker containers at some points. And I'm not a dev, so very limited capabilities to inspect the source code myself.

Not every docker container is a "nextcloud" image with hundred of active contributors and many eyes looking at the source code. Many Self-Hosted projects are quite small, and Github accounts can be hacked, etc. ...

What I'm doing in the moment, is:

Project selection:
- only select docker projects with high community activity on GitHub and a good track record

Docker networks:
- use separate isolated networks for every container without internet access
- if certain APIs need internet access (e.g. Geolocation data), I use an NGINX-proxy to forward this domain only (e.g. self-made outgoing application firewall)

Multiple LXC containers:
- I split my docker containers into multiple LXC instances via Proxmox, some senitive containers like Bitwarden are running on their own LXC instance

Watchtower:
- no automatic updates, but manual updates once per month and testing afterwards

Any other tips? Or am I worrying too much? ;)

you are viewing a single comment's thread
view the rest of the comments

[–] WiseCookie69@alien.top 1 points 10 months ago

Granted I use Kubernetes, but here you go:

I run stuff with user namespaces, so even a root process within the container is unprivileged on the host
- there's a demo
- https://www.youtube.com/watch?v=M4a2b4KkXN8
- https://kubernetes.io/blog/2023/09/13/userns-alpha/
I isolate namespaces via NetworkPolicies
- Even my Nextcloud instance has no business to check upstream for updates (i have renovate for that)
I use securityContexts to make my containers as unprivileged as possible
- drop all capabilities
- enforce a read-only container filesystem
- enforce running as a specific UID/GID (many maintainers are lazy and just run their stuff as root)