I’ve read that standard containers are optimized for developer productivity and not security, which makes sense.

But then what would be ideal to use for security? Suppose I want to isolate environments from each other for security purposes, to run questionable programs or reduce attack surface. What are some secure solutions?

Something without the performance hit of VMs

  • dragnucs@lemmy.ml
    2·
    1 year ago

    It is the application Docker that is not secure. Containers are. In fact Docker runs a daemon as root to wich you communicate from a client. This is what makes it less secure; running under root power. It also has a few shortcomings of privileged containers. This can be easily solved by using podman and SELinux. If you can manage to run Docker rootless, then you are magnitudes higher in security.

    • piezoelectron@sopuli.xyz
      1·
      1 year ago

      Do you think Podman is ready to take over Docker? My understanding is that Podman is Docker without the root requirement.

      • dragnucs@lemmy.ml
        2·
        1 year ago

        Yes it is. I’ve been using it for more than a year now. Works reliably. Has pod support aswel.

        • piezoelectron@sopuli.xyz
          0·
          1 year ago

          Great. I don’t know enough to use either but I think I’m going to try lean on podman from the get go. In any case, I know that all podman commands are exactly identical to Docker, such that you can replace, say, docker compose with podman compose and move on with ease.

          • Guilvareux@feddit.uk
            2·
            1 year ago

            With the specific exception of podman compose I completely agree. I haven’t tested it for a while but podman compose has had issues with compose file syntax in my experience. Especially with network configs.

            However, I have been using “docker-compose” with podman’s docker compatible socket implementation when necessary, with great success