The argument in favor of just using root inside the container - which is the default - is that user uid=0 is already pretty limited inside the container. This doesn’t affect regular web apps, but reduces the vectors of attack by malicious users considerably.īy default Docker drops all capabilities except those needed, an allowlist instead of a denylist approach. “root” within a container has much less privileges than the real “root”. Docker documents the limited functionality of the root user (by which I mean uid=0) inside a container. There is an argument to make that using a non-root user inside a Docker container is not required. Why care about a non-privileged user inside a container?
No complicated file modifications or terminal configuration. It should take 1-2 minutes (including docker pull time) for an end-user to get started with this container.For this bullet, I am looking at the Linux kernel capabilities and enforcing that none are used. We must grant access to our host's X server to draw an application on the screen.PGModeler will run as the modeler user, which does not have sudo privileges inside the container.I have not contributed to the PgModeler project, but I did create this Docker container to easily use it.
#PGMODELER GETTING STARTED FOR FREE#
PgModeler has a GPL-3.0 license and allows you to compile it from source for free pre-compiled binaries are available for a modest fee. It is a QT-based application with relatively involved compilation instructions if you are building from source. PgModeler is a tool to visually develop and maintain PostgreSQL schemas. The rest of the article will explain everything happening in this simple, secure command. If you are just here for the Docker command, here it is:Įnter fullscreen mode Exit fullscreen mode However, the result is a handful of extra lines to your Dockerfile and two volumes passed during docker run.
#PGMODELER GETTING STARTED HOW TO#
Understanding how to secure a Docker container requires understanding the underlying Linux behaviors taking place so we will discuss them in-depth. I will show you how to configure your graphical Docker image securely using my PgModeler image as an example. I have seen many examples of GUI Docker images requiring -privileged or other capabilities to be passed to the container, have seen weird graphical hacks such as running a VNC or SSH server inside the container and exposing the application through that, or running the application inside the container as root. However, I have not seen great recommendations online on how to do this. The epitome of the greatness that is containerized applications. Take the relatively larger complexity of a graphical app, encapsulate all of the brittle graphical compilation requirements, and serve a consistent experience regardless of your users' actual hardware. Running a graphical application via a Docker container sounds awesome.
0 kommentar(er)
