Hacker News new | past | comments | ask | show | jobs | submit login

Hi all, I'm a maintainer of Docker. As others already indicated this doesn't work on 1.0. But it could have.

Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application.

Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet!

When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly.




Thank you for being so completely transparent about things like this, I wished this attitude was more common in the IT world.



Don't worry. This is how things get more secure. Just stay the course and whack the moles. :)

Docker is awesome by the way.


Speaking of whack a mole, last month I built a docker image for the Trinity syscall fuzzer. It's a great way of finding those moles, for anyone interested in contributing to either Docker or the kernel:

https://registry.hub.docker.com/u/ewindisch/trinity/


It is better to think "less insecure" than "more secure".


Great response on this. Nice seeing the transparency.


Great response.

"..., or ideally don't grant root access to the application."

+1


Solomon, as always, brilliant and to the point. Keep rocking!!


also worth noting that you can still de-elavate the process in the container, discourse web runs under the discourse user in the container.


I don't use Docker, but this is just good peace-of-mind practice.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: