Hacker News new | past | comments | ask | show | jobs | submit login

Docker containers can run in other places where they are secure, IIRC then Joyent has way to do this in their cloud



You havent refuted my point. People take a stance that docker can run untrusted code without actually looking at what they have to do for that to be true.


I haven't taken the stance that all docker containers can run untrusted code, but I've certainly done my best to harden my docker containers as much as possible. If you took a look at that write up I cover it.

I run with the flags: --net=none --cap-drop=all --cpus=1 --read-only --tmpfs=/tmp:rw,size=1g,mode=1777,noexec

This gives it no way to communicate with the outside world and drops all capabilities so it's not allowed to interact with the kernel at all. Setting CPU limit to be 1 also prevents DOS attacks internally.

I also run the process under the nobody user which entirely avoids the "container root is system root" issue.

I'm also only sort of running "untrusted" code. I'm running tensorflow models which can do arbitrary computation but are more secure than just running raw code.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: