Tuesday, May 21, 2019

container root account misconfigurations

I did not read the article titled "Root account misconfigurations found in 20% of top 1,000 Docker containers | ZDNet" but I found myself pretty mad about the inference. Also while I'm no container expert I have some strong system opinions. And because I'm so frustrated this is going to be very short and to the point.

Containers that are built on anything more than just a simple binary and maybe some static data and/or some volumes and networks is just stupid. [a] first you have core OS processes running in both the host and guest [b] there are other OS exploits in privilege escalation and other IPC between the guest and host [c] there are all the cron'd and other services that are now duplicated leaking even more resources [d] there are processes that you are not aware of that also leak ports.

The ideal container is JUST the binary and links to persistent storage and other services like a DB.

In one of my current projects I've taken the risk of including a complete OS in my container, however, due to some other time to market constraints and a risk assessment I'm using shell and shell commands from within my app to get other types of work done. At some point I should be able to move 100% of the code into the app but again the risk is so low.

No comments:

Post a Comment

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...