Collaborate Disseminate
According to the JellyFin documentation
Podman doesn’t require root access to run containers, although there are some details to be mindful of; see the relevant documentation. For security, the Jellyfin container should be run using rootl… Continue reading Why is it safer to run as non-root inside a single-user container that is deployed with rootless podman?
I’m currently working on a project where I need to edit a runc configuration to stop allowing for wildcard cgroup device access inside the container, or essentially writing below to devices.allow. This is apparently due to some potential s… Continue reading Security issues with cgroup device access in privileged container
I am reviewing a kubernetes environment. I can see that the host docker/containerd socket is mounted into the containers. Do we really need docker in docker in production environments? What are the security consequences of it?
Note: Its no… Continue reading Docker in docker usecases and alternatives [closed]
I am trying to mount a secret in the pod securely. I have created the secrets with defaultMode: 0400 and runAsUser:1000. However when i am trying to access the secret in the container after doing exec in it, the secret file is owned by roo… Continue reading Mounting secrets with proper access control in kubernetes pods
Jack Wallen demonstrates how to attach and remove nodes from clusters in Docker Swarm to scale your services up and down as needed.
The post How to scale Docker Swarm services appeared first on TechRepublic.
Continue reading How to scale Docker Swarm services
Google announces the general availability of ‘rules_oci’ Bazel plugin to improve the security of container images.
The post Google Releases Open Source Bazel Plugin for Container Image Security appeared first on SecurityWeek.
Continue reading Google Releases Open Source Bazel Plugin for Container Image Security
I am using singularity sandboxes in my workflow for several reasons unrelated to security. However, after using it a bit, I am now wondering: is using a singularity sandbox an effective way to increase security by enforcing isolation / com… Continue reading Is using a singularity sandbox an effective way to increase security through isolation / compartmentalization?
Edit: though my wording may not be exact, I understand that two containers don’t have access to the same memory at the same time. My question is can one container see data that another has deallocated?
LXC allows us to over-provision RAM.
… Continue reading Is RAM wiped before use in another LXC container?
Fair warning – I am a security newbie.
In all container escape/breakout vulnerability scenarios I’ve read (CVE-2022-0185), the author assumes or states that the attacker already had shell or SSH access to the container. When I follow this … Continue reading What’re the most common vulnerabilities/weaknesses an attacker would exploit to gain SSH access to a container?
I’m evaluating running Chromium without native sandboxing in a rootless container. A few points:
You can containerize Chrome using rootless containers with something like podman. This will utilize kernel user-namespaces to isolate the Chr… Continue reading What are the potential vulnerabilities with containerized rootless Chrome and –no-sandbox?