Ask HN: Do you trust/install Docker in your personal computer?
I'm no longer using a separate computer from my employer and containers' security always worried me. Using VMs is very cumbersome in my opinion.
I haven't used Docker in years, do you think it's safe enough now to install in your main computer (Linux host)? It's not like I'm going to test malware inside the containers but there's a lot of 3rd-party dependencies living there.
If you do trust Docker, what precautions would you take? Running without root is viable?
I'm aware of https://github.com/docker/docker-bench-security
22 comments
[ 2.6 ms ] story [ 62.0 ms ] threadRunning as non-root is totally viable, but root still seems to be the norm. You might look into configuring docker daemon to not open ports externally.
That, and I don't particularly trust overlay filesystems.
Overlayfs 1 had many issues. Overlay 2 was buggy for a long time and we needed to patch in aufs in production for stability and lock around image pulls to prevent kernel deadlocks. But at this point, overlay2 is extremely stable in the 4.x kernel series in production. Though, there is still the copy-up quirk with hard links but that affects very few applications in the wild.
If you don't like overlay filesystems, you can use the devicemapper storage driver, and if you set it to direct-lvm mode it should be pretty equivalent to VM based volumes. When it comes to mounting in shared directories from the host though, I trust docker's bind mounts much more than VM based filesystem solutions.
Anyway, if you work alone or on a small team, VMs certainly suffice and the appeal of docker may be limited, but much of the convenience of docker comes from the ecosystem and immutability of images. I've always found it frustrating that such an ecosystem was built around docker when it could have been done with VMs all along. If your company is building docker image artifacts of your software as part of the CI system and that software has many dependencies, executing a production build becomes as easy as "docker run X" and reduces the need for developers to standardize their workstations on one linux distribution. That said, while I find this incredibly useful, it's rare that I do proper development with local docker images unless I'm briefly touching something with painful dependencies (like getting the frontend stack working to make a quick UI change as a backend developer)
I think you underestimate the issues with that. Why do you think VM companies haven't jumped on this bandwagon?
The closest thing I see to that are the restricted micro-VMs like Firecracker. And a big part of the reason they exist is to support the needs of containers.
The real point of Docker is containerized apps.
Maybe I should redo my node pools on GKE now that using gvisor is a checkbox or flag
I think the concern should be around what environment variables are required to run, what was in the base image, what volumes are mounted between container/host thus persisted through run's and don't mount /var/run/docker.sock! You should assume the container can be breached and make it as hard as possible to break out.