Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

mankicks

Members
  • Joined

  • Last visited

Everything posted by mankicks

  1. This is a big deal. Many people mistakenly assume that LXC/OCI is inherently secure. Runtimes aren't perfectly secure AND there are many insecure container configurations out there (on Community Applications, Dockerhub, GitHub and elsewhere). This is usually to make stuff work with the least amount of pain for the greatest number of users. People providing wrapper scripts and templates aren't always putting security first or vetting the code of the projects. They aren't intentionally neglecting security and I'm not suggesting they're setting anyone up to get hacked, but the priorities tend to be functionality and ease of use no matter where you're getting free code. I'm actually less concerned with runtime vulnerability exploitation than sloppily-designed containers and templates, since the former is a bit more rare. Having rootless dockerd or rootless podman be the default container user space would prevent the worst outcomes from bad actors and malware in most cases. Commercial customers, especially, will expect a rootless option and not having that be the default will raise eyebrows in the future. Users should 100% be reviewing, at minimum, the Dockerfile for each container they install. It's easy to disguise malicious configurations as convenience or simple ignorance. Pre-built images can conceal bad stuff more easily than ones you have to build. Users should also consider which components of their container stack need network access and should not connect any container to the internet, or even to their real physical LAN, unless there's a reason to. Do you need MariaDB listening on your home wifi network, or would it suffice to connect it + the containers that need to connect to it together on a local-only Docker network? (If anyone's interested in a quick rundown on how to do the latter: Turn on 'preserve custom networks' setting in Docker settings area of Unraid settings Do 'docker network create --local databasenetwork' from Unraid shell In the post args of a template add '&& docker network connect databasenetwork nameOfContainerThatNeedsMariaDB' Proceed to update any references between the containers that need to talk to each other so they just use each hostnames' (mdns should be working out of the box with docker or podman, and as long as they share a network they should find each other by name) ) When you have rootful dockerd, sans any customization efforts to lock down behavior, the software inside any container you run gets free reign to open ports and bypasses your regular ufw/firewalld/iptables/nftables rules by default. (From shell, do 'docker network ls', find your default network, then 'docker network inspect default_network_probably_eth0' ... you'll get a nice JSON printout telling you what's connected etc. , then just do a 'nc PHYSICAL_SERVER_IP_HERE PORT_NUMBER_HERE' or whatever port scanning tool you want to use. Chances are if the container wanted it open then it's bound and listening on your host's NIC.) My fingers are tired so I'm calling it here. I hope the community and Lime Technology plan on taking container security more seriously as the community grows. cheers

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.