
Ask HN: Do you trust/install Docker in your personal computer? - coffekaesque
I&#x27;m no longer using a separate computer from my employer and containers&#x27; security always worried me. Using VMs is very cumbersome in my opinion.
I haven&#x27;t used Docker in years, do you think it&#x27;s safe enough now to install in your main computer (Linux host)? It&#x27;s not like I&#x27;m going to test malware inside the containers but there&#x27;s a lot of 3rd-party dependencies living there.<p>If you do trust Docker, what precautions would you take? Running without root is viable?<p>I&#x27;m aware of https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker-bench-security
======
k4ch0w
Running without root is totally viable, it is in fact encouraged. Take a look
at: [https://docs.docker.com/engine/security/userns-
remap/](https://docs.docker.com/engine/security/userns-remap/)

I think the concern should be around what environment variables are required
to run, what was in the base image, what volumes are mounted between
container/host thus persisted through run's and don't mount
/var/run/docker.sock! You should assume the container can be breached and make
it as hard as possible to break out.

------
verdverm
I think most people are ok running docker on their laptop / personal / work
machines.

Running as non-root is totally viable, but root still seems to be the norm.
You might look into configuring docker daemon to not open ports externally.

~~~
tracker1
worth noting: for Docker Desktop (Mac and Windows), Docker itself is in a full
VM, and not really the platform's root user.

~~~
antonvs
Chrome OS also uses this model in its Crostini subsystem. In that case it runs
LXC containers in a full VM. You can run Docker inside those containers, too.

------
craftoman
Container isolation based on a kernel that wasn't prepared for this never
happened. It's like jails for BSD or cgroup for Linux IMHO. I have found one
exploit valuable at $10K, capable of host escaping (RCE) that's still active
based on the seller. You may be sceptical but don't forget this one:
[https://github.com/Frichetten/CVE-2019-5736-PoC?files=1](https://github.com/Frichetten/CVE-2019-5736-PoC?files=1)

------
jstewartmobile
My Debian VM starts in seconds. Last docker image I had to use was Ubuntu, and
it was enormous. For local purposes, I didn't really see the point to using a
docker container.

That, and I don't particularly trust overlay filesystems.

~~~
paulfurtado
The official base Ubuntu image is really not particularly large, I'm assuming
you were using an image with additional things installed? But regardless, once
pulled, it is cached locally. Be sure to reference the image by specific
tag/sha rather than latest to ensure you're not doing excessive pulls.

Overlayfs 1 had many issues. Overlay 2 was buggy for a long time and we needed
to patch in aufs in production for stability and lock around image pulls to
prevent kernel deadlocks. But at this point, overlay2 is extremely stable in
the 4.x kernel series in production. Though, there is still the copy-up quirk
with hard links but that affects very few applications in the wild.

If you don't like overlay filesystems, you can use the devicemapper storage
driver, and if you set it to direct-lvm mode it should be pretty equivalent to
VM based volumes. When it comes to mounting in shared directories from the
host though, I trust docker's bind mounts much more than VM based filesystem
solutions.

Anyway, if you work alone or on a small team, VMs certainly suffice and the
appeal of docker may be limited, but much of the convenience of docker comes
from the ecosystem and immutability of images. I've always found it
frustrating that such an ecosystem was built around docker when it could have
been done with VMs all along. If your company is building docker image
artifacts of your software as part of the CI system and that software has many
dependencies, executing a production build becomes as easy as "docker run X"
and reduces the need for developers to standardize their workstations on one
linux distribution. That said, while I find this incredibly useful, it's rare
that I do proper development with local docker images unless I'm briefly
touching something with painful dependencies (like getting the frontend stack
working to make a quick UI change as a backend developer)

~~~
antonvs
> I've always found it frustrating that such an ecosystem was built around
> docker when it could have been done with VMs all along.

I think you underestimate the issues with that. Why do you think VM companies
haven't jumped on this bandwagon?

The closest thing I see to that are the restricted micro-VMs like Firecracker.
And a big part of the reason they exist is to support the needs of containers.

------
Tehchops
I think being judicious about the source of your base images goes a long way
towards safe usage.

------
tracker1
I'm pretty okay with it... if you're really concerned, run it in a full
virtual machine to isolate it.

------
katzeilla
I don't trust Docker since I have to install it from a third party repo, so I
always run it on a separate machine and use ssh to send commands.

------
Wavelets
What is your cause for concern?

~~~
coffekaesque
Getting my pc compromised in any way. My data is very important for me, both
personal and from clients. Or an attacker gaining access to my accounts or
servers. I also don't like telemetry but that's outside this topic I guess.

------
ksynwa
What are some use cases for running something like docker or podman on your
personal computer? Genuinely curious.

~~~
coffekaesque
In my case it's for my local development environment. I also have personal
projects and I do freelancing so I was tired of having multiple computers and
using virtual machines.

------
pella
you can add extra safety like: [https://gvisor.dev/](https://gvisor.dev/) _" A
container sandbox runtime focused on security, efficiency, and ease of use."_

~~~
verdverm
You could also set gvisor as the default docker runtime. I would do this
except all my production belong to docker proper runtime.

Maybe I should redo my node pools on GKE now that using gvisor is a checkbox
or flag

------
segmondy
running applications in docker is safer than not running in docker. if you
want to run multiple applications, you can use lxc (linux containers) instead.

