Using USER has some interesting side effects like no more access to /dev/stdout and /dev/stderr
Using apparmor profiles does not do what you think it would do (i.e. disallowing access outside of image-fs) it's rather a few rules to prevent access to certain /proc things.
9 comments
[ 2.8 ms ] story [ 27.1 ms ] threadIf you'll ever get to writing similar guide for Kubernetes, ping me and I'd be happy to make it a guest blog post at gravitational.com
If you compare with LXD security on Docker is just sad...
Have fun hitting strange bugs: multi-stage builds break when you use user-namespaces: https://github.com/moby/moby/issues/34645
Using USER has some interesting side effects like no more access to /dev/stdout and /dev/stderr
Using apparmor profiles does not do what you think it would do (i.e. disallowing access outside of image-fs) it's rather a few rules to prevent access to certain /proc things.
But you can do this: https://docs.docker.com/engine/security/apparmor/