zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. tgtwea+Bf[view] [source] 2025-12-17 22:37:20
>>jakels+(OP)
Just a note - you can very much limit cpu usage on the docker containers by setting --cpus="0.5" (or cpus:0.5 in docker compose) if you expect it to be a very lightweight container, this isolation can help prevent one roudy container from hitting the rest of the system regardless of whether it's crypto-mining malware, a ddos attempt or a misbehaving service/software.
◧◩
2. tracke+5l[view] [source] 2025-12-17 23:10:55
>>tgtwea+Bf
Another is running containers in read-only mode, assuming they support this configuration... will minimize a lot of potential attack surface.
◧◩◪
3. 3eb798+BQ[view] [source] 2025-12-18 04:15:14
>>tracke+5l
Never looked into this. I would expect the majority of images would fail in this configuration. Or am I unduly pessimistic?
◧◩◪◨
4. flower+T21[view] [source] 2025-12-18 06:48:58
>>3eb798+BQ
Readonly and rootless are my two requirements for Docker containers. Most images can't run readonly because they try to create a user in some startup script. Since I want my UIDs unique to isolate mounted directories, this is meaningless. I end up having to wrap or copy Dockerfiles to make them behave reasonably.

Having such a nice layered buildsystem with mountpoints, I'm amazed Docker made readonly an afterthought.

[go to top]