Ask HN: Do you trust/install Docker in your personal computer?
I'm no longer using a separate computer from my employer and containers' security always worried me. Using VMs is very cumbersome in my opinion. I haven't used Docker in years, do you think it's safe enough now to install in your main computer (Linux host)? It's not like I'm going to test malware inside the containers but there's a lot of 3rd-party dependencies living there.
If you do trust Docker, what precautions would you take? Running without root is viable?
I'm aware of https://github.com/docker/docker-bench-security
Running without root is totally viable, it is in fact encouraged. Take a look at: https://docs.docker.com/engine/security/userns-remap/
I think the concern should be around what environment variables are required to run, what was in the base image, what volumes are mounted between container/host thus persisted through run's and don't mount /var/run/docker.sock! You should assume the container can be breached and make it as hard as possible to break out.
I think most people are ok running docker on their laptop / personal / work machines.
Running as non-root is totally viable, but root still seems to be the norm. You might look into configuring docker daemon to not open ports externally.
worth noting: for Docker Desktop (Mac and Windows), Docker itself is in a full VM, and not really the platform's root user.
Chrome OS also uses this model in its Crostini subsystem. In that case it runs LXC containers in a full VM. You can run Docker inside those containers, too.
Container isolation based on a kernel that wasn't prepared for this never happened. It's like jails for BSD or cgroup for Linux IMHO. I have found one exploit valuable at $10K, capable of host escaping (RCE) that's still active based on the seller. You may be sceptical but don't forget this one: https://github.com/Frichetten/CVE-2019-5736-PoC?files=1
My Debian VM starts in seconds. Last docker image I had to use was Ubuntu, and it was enormous. For local purposes, I didn't really see the point to using a docker container.
That, and I don't particularly trust overlay filesystems.
The official base Ubuntu image is really not particularly large, I'm assuming you were using an image with additional things installed? But regardless, once pulled, it is cached locally. Be sure to reference the image by specific tag/sha rather than latest to ensure you're not doing excessive pulls.
Overlayfs 1 had many issues. Overlay 2 was buggy for a long time and we needed to patch in aufs in production for stability and lock around image pulls to prevent kernel deadlocks. But at this point, overlay2 is extremely stable in the 4.x kernel series in production. Though, there is still the copy-up quirk with hard links but that affects very few applications in the wild.
If you don't like overlay filesystems, you can use the devicemapper storage driver, and if you set it to direct-lvm mode it should be pretty equivalent to VM based volumes. When it comes to mounting in shared directories from the host though, I trust docker's bind mounts much more than VM based filesystem solutions.
Anyway, if you work alone or on a small team, VMs certainly suffice and the appeal of docker may be limited, but much of the convenience of docker comes from the ecosystem and immutability of images. I've always found it frustrating that such an ecosystem was built around docker when it could have been done with VMs all along. If your company is building docker image artifacts of your software as part of the CI system and that software has many dependencies, executing a production build becomes as easy as "docker run X" and reduces the need for developers to standardize their workstations on one linux distribution. That said, while I find this incredibly useful, it's rare that I do proper development with local docker images unless I'm briefly touching something with painful dependencies (like getting the frontend stack working to make a quick UI change as a backend developer)
> I've always found it frustrating that such an ecosystem was built around docker when it could have been done with VMs all along.
I think you underestimate the issues with that. Why do you think VM companies haven't jumped on this bandwagon?
The closest thing I see to that are the restricted micro-VMs like Firecracker. And a big part of the reason they exist is to support the needs of containers.
Yes, if you simply want to run a VM, Docker may not make sense.
The real point of Docker is containerized apps.
I think being judicious about the source of your base images goes a long way towards safe usage.
I'm pretty okay with it... if you're really concerned, run it in a full virtual machine to isolate it.
I don't trust Docker since I have to install it from a third party repo, so I always run it on a separate machine and use ssh to send commands.
What is your cause for concern?
Getting my pc compromised in any way. My data is very important for me, both personal and from clients. Or an attacker gaining access to my accounts or servers. I also don't like telemetry but that's outside this topic I guess.
What are some use cases for running something like docker or podman on your personal computer? Genuinely curious.
In my case it's for my local development environment. I also have personal projects and I do freelancing so I was tired of having multiple computers and using virtual machines.
you can add extra safety like: https://gvisor.dev/ "A container sandbox runtime focused on security, efficiency, and ease of use."
You could also set gvisor as the default docker runtime. I would do this except all my production belong to docker proper runtime.
Maybe I should redo my node pools on GKE now that using gvisor is a checkbox or flag
Thanks. Would gvisor be stable enough to deploy into production?
That looks very good, thanks
running applications in docker is safer than not running in docker. if you want to run multiple applications, you can use lxc (linux containers) instead.