Context

I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.

Requirements

I want to run applications within containers such that they

  • Must not be able to interfere with applications running on host
  • Must not be able to interfere with other containers or applications inside them
  • Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.

Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.

What I found so far

  • Running containers in rootless mode: in other words, running the container daemon with an unprivileged host user
  • Running applications in container under unprivileged users: the container user under which the container is ran should be unprivileged
  • Networking: The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.

Alternative solution

I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.

  • Codilingus@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    My solution that took awhile to figure out is fantastic IMO. Docker containers unprivileged, with nobody permissions, with their own IPs on macvlan, with matching vlan and good firewall rules. A docker network proxy container, Traefik, Authelia, CrowdSec, and a CrowdSec Traefik Bouncer containers.

  • hackerwacker@lemmy.ml
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    1 year ago

    Containers are meant to simplify operational aspects of development and deployment. For proper isolation you should use virtual machines.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      By default a container runs with network, storage and resources isolated from the host. What about this isolation is not “proper”?

      • hackerwacker@lemmy.ml
        link
        fedilink
        arrow-up
        0
        arrow-down
        2
        ·
        1 year ago

        Because OP is looking for security isolation, which isn’t what containers are for. Much like an umbrella stops rain, but not bullets. You fool.