zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. anthro+x6[view] [source] 2025-01-05 14:01:02
>>smarx0+P4
And this was one of the reason why I switched to Podman. I haven't looked back since.
◧◩◪
3. MortyW+xa[view] [source] 2025-01-05 14:39:59
>>anthro+x6
I want to use Podman but I keep reading the team feels podman-compose to be some crappy workaround they don’t really want to keep.

This is daunting because:

Take 50 random popular open source self-hostable solutions and the instructions are invariably: normal bare installation or docker compose.

So what’s the ideal setup when using podman? Use compose anyway and hope it won’t be deprecated, or use SystemD as Podman suggests as a replacement for Compose?

◧◩◪◨
4. anthro+Id[view] [source] 2025-01-05 15:08:17
>>MortyW+xa
Podman supports kubernetes YAML or the quadlets option. It's fairly easy to convert docker-compose to one of these.

Nowaday I just ask genAI to convert docker-compose to one of the above options and it almost always works.

◧◩◪◨⬒
5. smarx0+Bh[view] [source] 2025-01-05 15:37:24
>>anthro+Id
Is there a blog post/tutorial on how to take a fairly complex docker-compose.yml and migrate it to quadlets?

UPD: hmm, seems quite promising - https://chat.mistral.ai/chat/1d8e15e9-2d1a-48c8-be3a-856254e...

[go to top]