March 31, 20206 yr It would be nice to see some security tools around the docker. For example maybe something that can do vulnerability scanning and reporting of your running containers. It would be helpful for many reasons, perhaps adding additional firewall rules to prevent attacks, upgrading, downgrading etc. I know there are open source tools and images that already exist with many features that we could all benefit from.
April 1, 20206 yr Author Comment: Honestly surprised this has not receive more attention in here... Considering Unraid primary function is to house all your data as a NAS and I'd image many people store sensitive or personal data/documents on their servers... right? Combine that with running applications (docker images) that share the same kernel and mounted filesystems that someone else (other than the programers) are building (the docker images)... nobody is concerns? If if you trust the image owners, after they are deployed nobody has concerns about them containing exploits or knowing if they are vulnerable? I'm not sure if everyone is naive or just doesn't care about their data on their Unraid server or their home network in general. Can anyone who doesn't maintain the docker images tell me if you have CVE-2019-5021 on your Alpine linux running containers? I'd guess nobody can confidently answer that without spending significant researching it or already have tools scanning. Supporting Info: This is a decent writeup back in 2017. https://sysdig.com/blog/7-docker-security-vulnerabilities/ Also this in 2019 (has video) https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/ Summary: My point is that many of these containers are communicating with the internet. 1. We don't know what is in the images we are downloading/updating. (unless you are one of those people that hash matches all the binaries and configs to the master). 2. Your containers will or do have vulnerabilities and you will have no idea about it. If you are running a container that the image maintainer stopped updating (maybe they are on vacation) and an exploit is discovered, well good luck. Considering the current state of the world with CoVid19... you will see an increase of ransomware! It won't matter who you are... people need money and take advantage in times like these. I can personally attest to this: I have a unifi firewall and it is running IDS and the amount of attacks against my IP has increased. https://www.businessinsider.com/ransomware-attack-hospitals-coronavirus-covid-19-2020-3 Want/Ask/Need: I would really like to see some integrations of tools that scan against the images and running containers. There are a lot of smart people in here and I'm sure everyone can benefit from having a container that does scanning of other containers. Wouldn't it be nice to know you have a problem with a docker (a CVE was released yesterday) and this image is vulnerable. That could allow you to at least disable the services until it is updated or follow the CVE and perhaps mitigate the risk another way. Disclaimer: I am not a dev. I want to generate interest from the community and see if any devs would be interested in this project. As GI Joe says.... Knowing is half the battle. Quote You can't fix what you don't know is broken. Edited April 2, 20206 yr by pish180 Added Disclaimer.
April 1, 20206 yr Are you asking how much interest there is so you know whether or not to spend your time working on implementing this for others benefit? If so, maybe say that upfront. Otherwise it just sounds like you want to volunteer someone else's time for your interests. If you develop it and it works well, I'm sure there will be people wanting to use it.
April 2, 20206 yr Author 2 hours ago, jonathanm said: Are you asking how much interest there is so you know whether or not to spend your time working on implementing this for others benefit? If so, maybe say that upfront. Otherwise it just sounds like you want to volunteer someone else's time for your interests. If you develop it and it works well, I'm sure there will be people wanting to use it. That's a good point. I would have put this post in the request section but that is blocked off. The goal with this post is really 3 things: 1. Hopefully build some interest amongst the community 2. Once we have some interest, see if any devs want to take on the challenge. 3. End Product? Wanting to volunteer someone else's time. - Seems like a negative way to word it. If that is what you consider a request to build something is then I guess I'm guilty. 🙄 Every project starts with an idea/request/issue. With more users backing a request a dev would feel. 1. More motivated 2. More likely to be incentivised 3. Have a positive impact on the community Depending on what motivates them. FTR I have supported many developers via Patron and other donations for their work. Just wanted to throw that out there. Hope that helps.
April 2, 20206 yr 8 hours ago, pish180 said: I would have put this post in the request section but that is blocked off. Anyone can post in the Feature Requests forum, just not the sub-forums.
April 4, 20206 yr Author On 4/2/2020 at 5:11 AM, johnnie.black said: Anyone can post in the Feature Requests forum, just not the sub-forums. DOH. Are one of the mods able to move it? I swear I recall trying to and there was no button to create a thread. I guess as you mentioned I was probably in a sub-forum. Ideally I would like it in the FR section. If not I guess I can re-create it there.
February 8, 20215 yr I'm almost a year late to the party but I would also love to see the docker daemon ripped out and replaced with podman.
February 11, 20215 yr Author Maybe a second look for an interested container expert to get this working for the community? Please.
April 9, 20215 yr Author Any of the devs consider looking at this? Maybe something like Anchore, Clair, etc or another docker file that we can add to Unraid that would scan all the docker images we have in our Local Docker Repo and provide a report for UnRaid users? I think this would be really valuable for the community so they know of the images they are running, if there are any vulnerability and let them determine if its an acceptable risk. Thanks!
June 6, 20224 yr Can Docker Rootless be run on Unraid? Documentation - https://docs.docker.com/engine/security/rootless/
May 30, 20251 yr Maybe a second look for an interested container expert to get this working for the community? Please. Can Docker Rootless be run on Unraid?Documentation - https://docs.docker.com/engine/security/rootless/ I now see that I was very late to the party when I created https://forums.unraid.net/topic/152340-support-rootless-podman-as-container-runtime/ a year ago.Since I created the RFE I've been trying to get "rootless" to work. I can't say I'm an expert but I'm interested and would really like this to work.So far, I haven't been able to get docker rootless to work, it seems to be up and running and the daemon is working, but trying to start a container fails because of permissions.I've had more success with podman but there are still things to do before I would call it "stable and ready".
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.