For Exploding Containers ?
Wow .... a Virtual Mole and Remote Access Trojan combo. Whatever can we expect next?
A vulnerability in all versions of Docker can be potentially exploited by miscreants to escape containers' security protections, and read and write data on host machines, possibly leading to code execution. This is according to senior SUSE software engineer Aleksa Sarai, who said the flaw is a race condition bug in which a …
Docker is a gaping security hole as a concept
Downloading and running random internet guys image in a container on your docker environment is worse than downloading and clicking random .exe files on your windows box:
1. NO and by NO i meen absolutely NO malware detection in must cases!
2. Everything as root, yeahh... check those container processes!
3. Culture of trust: This is beautiful but can we be sure that the loving altruistic spirit is in ALL container images available as a one-liner from repos?
4. majority of docker containers run on powerful server systems with high bandwidth
If i wanted malware running anywhere, i would look at docker repos as my first choice!
Docker is for people who havn't got the skill to setup a proper server.
You're a prat! It's only as insecure as you wish to make it.
Do you really think that anyone who knows what they're doing with containers just pulls images willy-nilly off the Docker Hub? FFS! That's like just pulling an O/S ISO off some random torrent site, might as well take your system out in the garden and smash it up with a hammer. Build your own images from the base certified O/S images, add your own apps and scripts in the build as you put together.
If you run Docker direct on your host O/S you are a bit of pillock too. You run Docker in a VM, a proper secured environment and never direct on the native host, then you can isolate it and lock it down. You do know that in container technology you can see every single file in the host O/S? The container is not a VM, all the files, scripts and everything used in the container is fully exposed on the host's O/S filesystem where it can be inspected and scanned before you do anything with it, if you really must use prebuilt images from Fred down-the-road.
Sounds like you need to stop reading FUD and start learning Docker and Kubernetes properly, not just firing up a few demo images after watching some spotty 16 year old's YouTube on running Docker.
"Do you really think that anyone who knows what they're doing with containers just pulls images willy-nilly off the Docker Hub?":
YES! And i know they do because i actually operate in the real world
"f you run Docker direct on your host O/S you are a bit of pillock too. You run Docker in a VM"
You sir are an idiot! Have you ever stopped to contemplate the reason of virtualization? You run Docker on "the Iron" if you want to do any kind of resource optimization that is! Off course you can run it in the public cloud like any schmuck and do your new feudal masters bidding.
I have 20+ years of service uptime under my belt, you, sir sounds like an asshole with a few to many opinions from "social media"
"Docker is a gaping security hole as a concept...Docker is for people who havn't got the skill to setup a proper server."
Smartypantz, you're a moron.
"1. NO and by NO i meen absolutely NO malware detection in must cases!"
I build my own dockers. I could just ask myself if I added malware. Why the hell would I run a scan?
"2. Everything as root, yeahh... check those container processes!"
Those who know Docker call those "privileged containers." It's useful in some situations, not all. What the hell are you doing with Docker?
"3. Culture of trust: This is beautiful but can we be sure that the loving altruistic spirit is in ALL container images available as a one-liner from repos?"
Docker is a container used to run software in a controlled and often ephemeral environment. Your advice about unknown software is nice, but why? What the hell are you running in Docker?
"4. majority of docker containers run on powerful server systems with high bandwidth If i wanted malware running anywhere, i would look at docker repos as my first choice!"
Whatever floats your boat. If you think my private repos are the best entry point to compromise my servers, I wish you luck.