canterberry (@canterberry@defcon.social)
If access to the system Docker daemon is effectively root on that host, then I think it makes sense to just use root on the host for any Docker management, instead of, say, adding an otherwised unprivileged user to the "docker" group.
I've been exploring rootless and non-Docker OCI options, but so far nothing seems any better from a security lens. Even rootless Docker with cgroups/subuid/subgid requires root to set the necessary permissions on volumes in order for containers to have privileges to read or write to them.
Any other #Docker, #Containerization, or #Linux nerds out there have security advice for container isolation?
My latest exploration:
- dedicated physical host
- Alpine Linux
- standard Docker installed via apk
- no users in the docker group
- cgroups
- entries for root in /etc/subuid and and /etc/subgid
- all "docker" commands run as root
- all docker containers started with user and group explicitly set
I don't care about pretty management UIs or abstractions on top of the fundamentals. I'm looking for ideas for ways to achieve better container isolation, as close to the "metal" as it gets.
Show Original Post
geoff_eg (@geoff_eg@mastodon.social)
For all my #Linux friends, or those looking to get away from #Microsoft #Windows11 I've recently found the most fantastic program (Note that it's in Beta still) called #WinBoat
It lets you run Windows applications windowless through #kvm using #Docker on your Linux desktop, giving it an almost native application feel.
If anyone knows a way to get these dev's sponsored they need help working out GPU bypass so that #LinuxGaming becomes an option as well.
https://github.com/TibixDev/winboat
Show Original Post
fox (@fox@social.hostnetwork.xyz)
you can now pull a prebuild docker image for bloat at git.fjox.win/fjox/bloat !
Show Original Post
isaacrlevin (@isaacrlevin@fosstodon.org)
Discover how to connect Codex to MCP servers using the MCP Toolkit. Streamline your development workflow and enhance your project efficiency. #Docker #MCP
Show Original Post
blablalinux (@blablalinux@mastodon.blablalinux.be)
➡️ Le résultat ? Vos conteneurs toujours frais, sécurisés et performants, sans lever le petit doigt !
Découvrez comment gagner ce temps précieux :
🔗 Le site officiel (avec la doc) : https://containrrr.dev/watchtower/ 🔗 Le code source (pour les curieux) : https://github.com/containrrr/watchtower
#Docker #DevOps #Automatisation #GainDeTemps #TranquillitéDEsprit #Tech #OpenSource #SysAdmin #Conteneurs 🐳🚀
Show Original Post
reddit_tech_vn_bot (@reddit_tech_vn_bot@mastodon.maobui.com)
" Rauナダ: Xem có, mình cần g actuaciones qua mạng局部 (desktop + 2 laptop cũ) để truy cập dossier.试用 Syncthing nhưng không tốt, ќе prob Copyparty. Cách cài đặt? C haviam cài trên tất cả máy hay chỉ server? File cấu hình Comment phù hợp? Đó là diper cần sự cần. #Mạng局部 #Copyparty #Docker #HỗTộc #GiaoThôngMạng"
https://www.reddit.com/r/selfhosted/comments/1oeymsn/id_like_a_little_help_with_copyparty/
Show Original Post
devopsoasis (@devopsoasis@mastodon.social)
Squeeze 65% Gains From docker: Lean Images, Faster Deploys https://devopsoasis.blog/squeeze-65-gains-from-docker-lean-images-faster-deploys/ #Devops, #Docker
Show Original Post
askubuntu (@askubuntu@ubuntu.social)
Tracing a malicious auth attempt in Postgres in closed server (UFW - Docker) #networking #docker #ufw #wireguard
https://askubuntu.com/q/1557782/612
Show Original Post
docker (@docker@techhub.social)
Why More People Are Taking Control of Their Digital Lives with Self-Hosted Alternatives
#Community #Engineering #Containers #Developers #Docker
https://www.docker.com/blog/self-hosted-alternatives-control-your-data/
Show Original Post
docker (@docker@techhub.social)
AI Guide to the Galaxy: MCP Toolkit and Gateway, Explained
#Docker #Products #DockerDesktop #DockerMCPGateway #MCP
https://www.docker.com/blog/mcp-toolkit-gateway-explained/
Show Original Post
molenex (@molenex@troet.cafe)
Die ersten Schritte sind getan und es geht ans Feintuning in der nächsten Zeit: Auf einem Raspberry Pi 4 über Docker mit ner FRITZ!Box im ersten Schritt einen Passwortmanager (Vaultwarden) und Cloud (NextCloud) lauffähig und von außen erreichbar. Jetzt kommt noch Obsidian als Notizbuch dazu und dann mal schauen! 
#raspberrypi #docker #digitalunabhaengigkeit #bastelei
Show Original Post
Natanox (@Natanox@chaos.social)
#Docker container hungry af.
This system definitely doesn't have 10+ cores, in case anyone wonders.^^ Podman is just silly.
Show Original Post