[ale] Would you mind critiquing a container build HOWTO?
DJPfulio at jdpfu.com
DJPfulio at jdpfu.com
Thu Jul 4 11:03:50 EDT 2024
Perhaps I wasn't clear.
There are 2 types of Linux containers.
1. System Containers - lxc is one of these.
2. Application Containers - podman/docker are examples of these.
System containers have run non-privileged for some time, by default. Root inside doesn't mean anything outside. Usually outside the LXC container, the host-level userid is 1000000+.
For application containers, much of the security is lost because docker used privileged containers (where root inside and outside are uid 0). This is a pretty large FAIL in my book, but clearly most docker people don't care or didn't know. A docker container setup to expect privileged access to host things will bring that security failure with it whether it is needed or not. If the default doesn't require a privileged container, I need to rethink my use of application containers, but I also need to learn how to be certain unprivileged containers are used and the default.
So .... those are my questions. Do most recent docker containers work with an unprivileged container and is that the default?
On 7/4/24 09:34, Leam Hall via Ale wrote:
> I forgot to add that dmesg fails on the container, even though my user on the host can see it.
>
> sh-5.2# dmesg
> dmesg: read kernel buffer failed: Operation not permitted
>
> Leam
>
>
> On 7/4/24 08:19, dj-Pfulio via Ale wrote:
>> Does that mean that Docker doesn't still by default use privilege containers?
>> I didn't see that question answered.
More information about the Ale
mailing list