zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. tgtwea+Bf[view] [source] 2025-12-17 22:37:20
>>jakels+(OP)
Just a note - you can very much limit cpu usage on the docker containers by setting --cpus="0.5" (or cpus:0.5 in docker compose) if you expect it to be a very lightweight container, this isolation can help prevent one roudy container from hitting the rest of the system regardless of whether it's crypto-mining malware, a ddos attempt or a misbehaving service/software.
◧◩
2. fragme+wj[view] [source] 2025-12-17 23:01:56
>>tgtwea+Bf
The other thing to note is that docker is for the most part, stateless. So if you're running something that has to deal with questionable user input (images and video or more importantly PDFs), is to stick it on its own VM and then cycle the docker container every hour and the VM every 12, and then still be worried about it getting hacked and leaking secrets.
◧◩◪
3. tgtwea+NU[view] [source] 2025-12-18 05:17:24
>>fragme+wj
Most of this is mitigated by running docker in an LXC containers (like proxmox does) which grants a lot more isolation than docker on it's own - closer in nature to running separate VMs.
◧◩◪◨
4. butvac+kQ1[view] [source] 2025-12-18 13:54:54
>>tgtwea+NU
Too bad it straight doesn't work without heavy mods in pve9
◧◩◪◨⬒
5. tgtwea+RS2[view] [source] 2025-12-18 18:36:41
>>butvac+kQ1
Illumos had a really nice stack for running containers inside jails and zones... I wonder if any of that ever made it into the linux world. If you broke out of the container you'd just be inside a jail which is even more hardened.
◧◩◪◨⬒⬓
6. cyphar+Xk4[view] [source] 2025-12-19 04:27:17
>>tgtwea+RS2
SmartOS constructed a container-like environment using LX-branded zones, they didn't create an in-kernel equivalent to Linux's namespaces which it then nested in a zone. You're probably thinking of the KVM port to Solaris/illumos, which does run in a zone internally to provide additional protection.

While LX-branded zones were a really cool tech demo, maintaining compatibility with Linux long-term would be incredibly painful and you're bound to find all sorts of horrific bugs in production. I believe that Oxide uses KVM to run their Linux guests.

Linux has always supported nested namespaces and you can run Docker containers inside LXC (or Incus) fairly easily. Note that while it does add some additional protection (in particular, it transparently adds user namespaces which is a critical security feature most people still do not enable in Docker) it is still the same technology as containers and so kernel bugs still pose a similar risk.

[go to top]