Do you host all services just from your root account with docker or do you seperate the services between user accounts with rootless docker?

Do you use podman or docker?

It’s easier to just host everything from root with normal docker, but seperating services into special user account is probably way saver, at least as far as i know. Do you think ist worth going the extra step or do you just trust docker and your containers to not get exploited?

Last but not least do you use an automatic update service for your host system and your containers?

  • @easeKItMAn
    link
    English
    1
    edit-2
    1 year ago

    I’m using network overlays for individual containers and separation.
    Secondly fail2ban installed on host to secure docker services. Ban FORWARDING chains specific to docker instead of INPUT chains. [fail2ban docker](Configure Fail2Ban for a Docker Container – seifer.guru) Use 2FA for services if available.

    Rootless docker has limitations when it comes to port exposing, storage drivers, network overlays etc.

    The host is auto-updating security batches but rebooted manually only.
    Docker containers are updated manually too. I built all containers from file and don’t pull them because most are modified (plugins, minimizing sizes, dedicated user rights etc.)