23.09.2025 16:30
AAKL (@AAKL@infosec.exchange)

Darktrace: ShadowV2: An emerging DDoS for hire botnet https://www.darktrace.com/blog/shadowv2-an-emerging-ddos-for-hire-botnet https://www.darktrace.com/blog/shadowv2-an-emerging-ddos-for-hire-botnet #cybersecurity #infosec

More:

The Hacker News: ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service https://thehackernews.com/2025/09/shadowv2-botnet-exploits-misconfigured.html #Docker #AWS

Show Original Post

copy and reply to the post

23.09.2025 15:05
docker (@docker@techhub.social)

MCP Horror Stories: The Drive-By Localhost Breach
#Products #Docker #MCP #MCPserver #Security

https://www.docker.com/blog/mpc-horror-stories-cve-2025-49596-local-host-breach/

Show Original Post

copy and reply to the post

23.09.2025 14:35
greencore (@greencore@fosstodon.org)

We love #Docker and #k8s but our backbone is system administration and engineering, whether it's Big Tech-free On-Prem and Colo solutions incorporating cloud technology or embedded systems with Yocto 💪

https://www.greencore.org.uk

#FreeBSD #OpenBSD #Linux #nefollowers

Show Original Post

copy and reply to the post

23.09.2025 13:43
clonbg (@clonbg@masto.es)

Mantener actualizados los contenedores Docker con Watchtower https://myblog.clonbg.es/mantener-actualizados-los-contenedores-docker-con-watchtower/ #Docker #Servicios https://clonbg.es

Show Original Post

copy and reply to the post

23.09.2025 13:40
reynardsec (@reynardsec@infosec.exchange)

A grumpy ItSec guy walks through the office when he overhears an exchange of words.

devops0: Two containers went rogue last night and starved the whole host.
devops1: What are we supposed to do?

ItSec (walking by): Set limits. It's not rocket science. Docker exposes cgroup controls for CPU, memory, I/O and PIDs. Use them.

The point is: availability is part of security too. Linux control groups allow you to cap, isolate and observe resource usage, which is exactly how Docker enforces container limits for CPU, memory, block I/O and process counts [1]. Let's make it tangible with a small lab. We'll spin a container, install stress-ng, and watch limits in action.

# On the Docker host
docker run -itd --name ubuntu-limits ubuntu:22.04
docker exec -it ubuntu-limits bash

# Inside the container
apt update && apt install -y stress-ng
stress-ng --version

Check how many cores you see, then drive them.

# Inside the container
nproc

# For my host nproc returns 4
stress-ng --cpu 4 --cpu-load 100 --timeout 30s

In another terminal, watch usage from the host.

docker stats

Now clamp CPU for the running container and see the throttle take effect.

docker update ubuntu-limits --cpus=1
docker stats

The --cpus flag is a wrapper over the Linux CFS period/quota; --cpus=1 caps the container at roughly one core worth of time on a multi‑core host.

Memory limits are similar. First tighten RAM and swap, then try to over‑allocate in the container.

# On the host
docker update ubuntu-limits --memory=128m --memory-swap=256m
docker stats 

# Inside the container: stays under the cap
stress-ng --vm 1 --vm-bytes 100M --timeout 30s --vm-keep

# Inside the container: tries to exceed; you may see reclaim/pressure instead of success
stress-ng --vm 1 --vm-bytes 300M --timeout 30s --vm-keep

A few memory details matter. --memory is the hard ceiling; --memory-swap controls total RAM+swap available. Setting swap equal to memory disables swap for that container; leaving it unset often allows swap equal to the memory limit; setting -1 allows unlimited swap up to what the host provides.

docker run -it --rm \
  --name demo \
  --cpus=1 \
  --memory=256m \
  --memory-swap=256m \
  --pids-limit=25 \
  ubuntu:22.04 bash

For plain docker compose (non‑Swarm), set service‑level attributes. The Compose Services reference explicitly supports cpus, mem_limit, memswap_limit and pids_limit on services [2].

services:
  api:
    image: ubuntu:22.04
    command: ["sleep","infinity"]
    cpus: "1"              # 50% of one CPU equivalent
    mem_limit: "256m"      # hard RAM limit
    memswap_limit: "256m"  # RAM+swap; equal to mem_limit disables swap
    pids_limit: 50         # max processes inside the container

[1] https://docs.docker.com/engine/containers/resource_constraints/
[2] https://docs.docker.com/reference/compose-file/services/

For more grumpy stories visit:
1) https://infosec.exchange/@reynardsec/115093791930794699
2) https://infosec.exchange/@reynardsec/115048607028444198
3) https://infosec.exchange/@reynardsec/115014440095793678
4) https://infosec.exchange/@reynardsec/114912792051851956
5) https://infosec.exchange/@reynardsec/115133293060285123
6) https://infosec.exchange/@reynardsec/115178689445065785

#appsec #devops #programming #webdev #docker #containers #cybersecurity #infosec #cloud #sysadmin #sysops #java #php #javascript #node

Show Original Post

copy and reply to the post

23.09.2025 13:13
ngate (@ngate@mastodon.social)

🤑 Oh look, another "totally unexpected" #crypto miner in your #Docker container—because who hasn't accidentally mined #Bitcoin while innocently downloading #Linux ISOs? Sure, you were just after that "sweet sweet Omarchy ISO," but surprise! 🎉 Your CPU's been hijacked. Who needs #security when you have Docker, right? 🙃
https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/ #mining #ISOs #HackerNews #ngated

Show Original Post

copy and reply to the post

23.09.2025 12:32
AndriiKuznietsov75 (@AndriiKuznietsov75@social.kyiv.dcomm.net.ua)

📝Шпаргалка по #Docker

Show Original Post

copy and reply to the post

23.09.2025 12:03
andrija (@andrija@floss.social)

And I didn't even mention the third variable in the devel setup equation: #Docker 🙄

Show Original Post

copy and reply to the post

23.09.2025 11:40
benzogaga33 (@benzogaga33@mamot.fr)

Sécurité Docker : comment auditer rapidement un Dockerfile avec Lynis ? https://www.it-connect.fr/securite-docker-comment-auditer-rapidement-un-dockerfile-avec-lynis/ #InfrastructureasCode #Cybersécurité #Docker

Show Original Post

copy and reply to the post

23.09.2025 09:42
hllizi (@hllizi@hespere.de)

This seemed to me an obvious way to do away with the cost of copying, at least in some cases. But so far I haven't even seen it discussed anywhere. Are there any technical obstacles that I didn't see? I'm not an expert in the technical details of containers and overlay file systems, so maybe my approach encounters difficulties in a place I haven't even thought of? Does anybody know? #containers #docker #podman

Show Original Post

copy and reply to the post

23.09.2025 09:40
labrafa (@labrafa@mastodon.world)

Tengo publicado en Youtube un tutorial donde explico las cosas a tener en cuenta para la instalación de la herramienta #Docker bajo #Windows.
Mejora tu eficiencia y productividad!

https://youtu.be/xkbqpTCkLb8

#SiguemeYTeSigo #Followback

Nota: imagen generada con IA generativa.

Show Original Post

copy and reply to the post

23.09.2025 09:01
octolauch (@octolauch@mastodon.social)

Containers revolutionized the way we deploy apps. From lightweight isolation & Docker making containers accessible, to OCI standardizing runtimes, they paved the way forward. But, let's not forget, orchestration, security & observability still matter #Containers #Docker #OCI

Show Original Post

copy and reply to the post