Linux

57140 readers

798 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

How to secure (podman or docker) containers for public-facing hosting? (lemmy.ml)

submitted 2 years ago* (last edited 2 years ago) by cyclohexane@lemmy.ml to c/linux@lemmy.ml

7 comments fedilink hide all child comments

Context

I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.

Requirements

I want to run applications within containers such that they

Must not be able to interfere with applications running on host
Must not be able to interfere with other containers or applications inside them
Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.

Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.

What I found so far

Running containers in rootless mode: in other words, running the container daemon with an unprivileged host user
Running applications in container under unprivileged users: the container user under which the container is ran should be unprivileged
Networking: The container's networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.

Alternative solution

I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.

top 7 comments

sorted by: hot top controversial new old

[–] hackerwacker@lemmy.ml 0 points 2 years ago (1 children)

Containers are meant to simplify operational aspects of development and deployment. For proper isolation you should use virtual machines.

[–] lemmyvore@feddit.nl 0 points 2 years ago (1 children)

By default a container runs with network, storage and resources isolated from the host. What about this isolation is not "proper"?

[–] hackerwacker@lemmy.ml -1 points 2 years ago (1 children)

Because OP is looking for security isolation, which isn't what containers are for. Much like an umbrella stops rain, but not bullets. You fool.

[–] lemmyvore@feddit.nl 0 points 2 years ago (1 children)

I still don't understand why you think containers aren't adequate.

Say you break into a container, how would you break out?

[–] Max_P@lemmy.max-p.me 0 points 2 years ago (1 children)

Kernel exploits. Containers logically isolate resources but they're still effectively running as processes on the same kernel sharing the same hardware. There was one of those just last year: https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes

Virtual machines are a whole other beast because the isolation is enforced at the hardware level, so you have to exploit hardware vulnerabilities like Spectre or a virtual device like a couple years ago some people found a breakout bug in the old floppy emulation driver that still gets assigned to VMs by default in QEMU.

[–] lemmyvore@feddit.nl 0 points 2 years ago (1 children)

You don't design security solutions on the premise that they're not working.

[–] Max_P@lemmy.max-p.me 1 points 2 years ago

Old thread, but case in point: https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/

The potential attack surface of a container will always be much larger than a VM, because a VM is its own kernel and own memory space, there's no implicit sharing with the host only explicit message passing.