9 comments

[ 2.8 ms ] story [ 27.1 ms ] thread
Consider updating color schema, the gray code is unreadable on ipad
Yes, I have a plan to do it ASAP - you’re definetly right :/
I enjoyed reading your blog post and the points you've mentioned are really important, for example suid bit is something that is not obvious at all.

If you'll ever get to writing similar guide for Kubernetes, ping me and I'd be happy to make it a guest blog post at gravitational.com

Yes! A friend of mine also noticed that I forgot to speak about —userns! I should fix it in the next days hopefully
There is Docker Bench for security that helps you get a quick overview for your system: https://github.com/docker/docker-bench-security

If you compare with LXD security on Docker is just sad...

Have fun hitting strange bugs: multi-stage builds break when you use user-namespaces: https://github.com/moby/moby/issues/34645

Using USER has some interesting side effects like no more access to /dev/stdout and /dev/stderr

Using apparmor profiles does not do what you think it would do (i.e. disallowing access outside of image-fs) it's rather a few rules to prevent access to certain /proc things.

But you can do this: https://docs.docker.com/engine/security/apparmor/

How does your site have no scrollbar? I know its a small thing, but it looks so clean...