If I used docker with the installation via omv-extras, is it possible to uninstall docker and replace the installation rootless? If this is possible, can I start all my containers or compose files again without customization?
change docker to docker rootless
-
- OMV 6.x
- gelöst
- happyreacer
-
-
If I used docker with the installation via omv-extras, is it possible to uninstall docker and replace the installation rootless?
Sure but why are you doing that?
If this is possible, can I start all my containers or compose files again without customization?
Maybe. Not all containers are happy rootless.
-
Sure but why are you doing that?
some DockerContainer are accessible from the Internet. I would therefore feel more secure
-
some DockerContainer are accessible from the Internet. I would therefore feel more secure
If they're all behind letsencrypt/swag then they should be secured.
And containers don't need run with ID 0.
That is why it's advocated on this forum to create a user to be used for docker and run the containers with that user.
-
I would therefore feel more secure
Personally, I run my containers in a VM which I consider more secure than rootless docker. Are any of your containers listening on a port less than 1024?
-
I use the linuxserver/swag Container and i use also a PUID and a PGID in my compose-files.
ryecoaaron i use only the port 443 and subdomain configs. What is the background of your question?
-
i use only the port 443 and subdomain configs. What is the background of your question?
You can't use a port less than 1024 rootless.
-
I use the linuxxsurver/swag Container and i use also a PUID and a PGID in my compose-files.
That's how most people here do,
But if you still feel unsecure, you can block all external access and run those containers only locally.
Install Wireguard and only access the LAN services while tunneled via VPN.
In the end, you'll always have to feel a bit unsafe since there's always a port open to the outside.
Only way to feel 100% secure is to power down the server and disconnect all cables, (sorry just joking)
-
You can't use a port less than 1024 rootless.
ryecoaaron Thank you for your information
-
That's how most people here do,
But if you still feel unsecure, you can block all external access and run those containers only locally.
Install Wireguard and only access the LAN services while tunneled via VPN.
In the end, you'll always have to feel a bit unsafe since there's always a port open to the outside.
Only way to feel 100% secure is to power down the server and disconnect all cables, (sorry just joking)
i know
-
happyreacer
Hat das Label gelöst hinzugefügt. -
You can't use a port less than 1024 rootless.
You can, but you have to add capabilities: https://docs.docker.com/engine…exposing-privileged-ports
-
You can, but you have to add capabilities
True but that starts to open the exploit options back up.
-
True but that starts to open the exploit options back up.
Can't have all
-
Can't have all
True. That is why I follow VMware's approach and run docker in a VM. Even if the container is exploited, the attacker is stuck in the VM. Not great but better than access to the entire OMV box.
-
True. That is why I follow VMware's approach and run docker in a VM. Even if the container is exploited, the attacker is stuck in the VM. Not great but better than access to the entire OMV box.
I thought about doing this when I rebuild my server in a couple months... just haven't looked that heavy into it yet.
I'm hoping to order my MB, RAM, CPU, and PSU next week. Then I'm not sure whether I'll go ahead and just rebuild with my old drives, or wait till I pick up all my new drives end of July'ish. Of course Saturday I was pleasantly "greeted" by a 17yr old driver w/ a beginners permit (who of course had no adult with her), no insurance, a paper tag that expired in April..lol. Fortunately my car was drivable... so I'm waiting on the police report to use my uninsured motorist coverage... Was driving to work today, and a rock flew off a truck and put a good size spot in my windshield about 3in wide. I got their phone number and took a picture, which I'm sure will do absolutely nothing. I guess I'm just glad it's on the lower passenger side.
I've had a great week..
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!