zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. tgtwea+Bf[view] [source] 2025-12-17 22:37:20
>>jakels+(OP)
Just a note - you can very much limit cpu usage on the docker containers by setting --cpus="0.5" (or cpus:0.5 in docker compose) if you expect it to be a very lightweight container, this isolation can help prevent one roudy container from hitting the rest of the system regardless of whether it's crypto-mining malware, a ddos attempt or a misbehaving service/software.
◧◩
2. tracke+5l[view] [source] 2025-12-17 23:10:55
>>tgtwea+Bf
Another is running containers in read-only mode, assuming they support this configuration... will minimize a lot of potential attack surface.
◧◩◪
3. 3eb798+BQ[view] [source] 2025-12-18 04:15:14
>>tracke+5l
Never looked into this. I would expect the majority of images would fail in this configuration. Or am I unduly pessimistic?
◧◩◪◨
4. hxtk+BZ[view] [source] 2025-12-18 06:07:32
>>3eb798+BQ
Many fail if you do it without any additional configuration. In Kubernetes you can mostly get around it by mounting `emptyDir` volumes to the specific directories that need to be writable, `/tmp` being a common culprit. If they need to be writable and have content that exists in the base image, you'd usually mount an emptyDir to `/tmp` and copy the content into it in an `initContainer`, then mount the same `emptyDir` volume to the original location in the runtime container.

Unfortunately, there is no way to specify those `emptyDir` volumes as `noexec` [1].

I think the docker equivalent is `--tmpfs` for the `emptyDir` volumes.

1: https://github.com/kubernetes/kubernetes/issues/48912

[go to top]