Hacker News new | past | comments | ask | show | jobs | submit login

"A malicious container running on a Docker-run host is deployed and ran"

A most relevant question being, how does this "malicious container" get onto the host in the first place?




You might be surprised by the number of developers who get really upset if their workplace doesn't allow "pull random containers off the Internet" as part of their workflow.


Well if you don't want to let devs run arbitrary code off the internet on their machines, that cuts off more than Docker Hub, it cuts off almost every package manager under the sun.

If I had to work under such a restriction, I would ask for a cheap spare machine, running on a guest network and hosting no sensitive code, where I could download and try random packages off the internet before I could submit them for audit, approval and vendoring.


Cloud hosting... if you're on the same physical node as a malicious actor, then ouch.


Did you ever see cloud hosting where you can run privileged containers on a shared machine?


Privileged? Maybe not. But in general, Docker is not a security boundary, but people treat it like one.


The services I have experience with host containers on a VM that is not shared between customers.


That's good. But I don't think the major cloud providers make it very obviously, either way. And when something's not clear, often the answer isn't good.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: