• Dasnap@lemmy.world
    link
    fedilink
    English
    arrow-up
    70
    arrow-down
    1
    ·
    1 year ago

    The amount of the internet and cloud infrastructure that is built on public Docker images makes this… worrying.

    • Ellie@lemmy.silkky.dev
      link
      fedilink
      English
      arrow-up
      49
      arrow-down
      1
      ·
      1 year ago

      This isn’t really surprising and isn’t actually a real security issue with Docker itself or any of the popular public images. Docker Hub is a public registry so people inexperienced with Docker accidentally include secrets in their images and upload it to Docker Hub, this is actually pretty well known and the Docker docs specifically warn people about this.

      • Fryboyter@discuss.tchncs.deOP
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        8
        ·
        1 year ago

        How can you be sure it doesn’t affect popular images? The probability may be lower, but I don’t think you can rule it out.

        • Ellie@lemmy.silkky.dev
          link
          fedilink
          English
          arrow-up
          19
          arrow-down
          1
          ·
          1 year ago

          The most popular images on Docker Hub are official / library images, they are curated and monitored by Docker for best practices and security vulnerabilities. I’m not saying that means you should trust them completely, it’s always best practice to read the source of an image before you use it.

        • deejay4am@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          2
          ·
          1 year ago

          This doesn’t mean that YOUR secrets are exposed by using the image, btw - this means that whomever built that image would be accidentally exposing their secrets.

          Unless you built the image and added your secrets to it and then uploaded it to a public Docker registry. But again, that’s not a flaw in Docker.

        • Sethayy@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          ·
          1 year ago

          Sane way you cant be sure your soap isnt poision, sure the manufacturing line could have messed up but like… the shady burger joint down the street is a lot more likely to have slipped up. The probability of anything is not zero, but we ignore a hell of a lot of possibilities

        • abraham_linksys@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          There is a nonzero probability of getting hit by a meteor at any time. A woman in Alabama was hit by one while she was inside her home, you’re not even safe indoors!

          You all might think I’m a fool for wearing a helmet every time I leave my definitely meteor-proof house, but I’m not taking any chances.

          • Spaniard@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            3
            ·
            1 year ago

            You are a fool because no helmet can protect you from a projectile that crossed space, survived entrance in the atmosphere. All that just to hit you

            • deejay4am@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Wait so who is the atmosphere and who are the solar winds in this metaphor? I’m having trouble seeing the point through all the pedantry over allegorical choice

      • Burn1ngBull3t@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        It’s actually how people build their images, in which some include sensitive data (when they should definitely not). It’s the same problem as exposed S3 buckets actually, nothing wrong with docker in itself.

          • Burn1ngBull3t@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Actually yes, I had a look at them since i wanted to write HelmCharts for the community. That’s also where the community can step up, it can only be better 😊

            • 𝘋𝘪𝘳𝘬@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I actually started looking into creating own Docker images because of how bad Lemmy’s Docker instructions are. I’m not even close to anything usable, though …

      • Laser@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I guess it depends, if it’s a secret in use for the image, an attacker might use it to attack a pulled instance if the user deploying it didn’t change the secret. Kind of like an unchanged initial password.

    • moon_matter@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Is this even a legitimate problem? Lots of people, myself included, have a “local” configuration. All of the services and credentials mentioned in the config are running on my personal machine for testing only during active development. None of those credentials refer to any sort of “real” service that’s on 24/7 and accessible via the internet. It’s effectively dummy data to the rest of the world and I imagine there are a ton of false positives like what I just described.

  • Laser@feddit.de
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    4
    ·
    edit-2
    1 year ago

    Of course. In my opinion, what Docker is used for on Hub is a different model than it was originally supposed to solve. It was designed as a solution for enterprise where the development team had no easy control over the production environment, so the solution was to bundle the platform with the software. However, your production team is usually trustworthy, so leaking secrets via the container isn’t an issue (or actually sometimes you wanted the image to include secrets).

    The fact that Hub exists is a problem in itself in my opinion. Even things like the AUR - which comes with its own set of problems - is a better solution.

    nix provides a solution to build clean Docker images. But then again it only works for packages that are either in nixpkgs already or you have written a derivation for, the latter being probably more effort than a quick and dirty dockerfile.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      Well not the Hub itself is the problem, rather the fact it’s being used wrong. You’re not supposed to publish your private images publicly, if you do that’s your problem. The Hub (or Docker) are pretty much completely unrelated to this issue. People who do this are probably also going to leave S3 buckets unsecured, commit passwords to Git and so on and so forth.

  • corytheboyd@kbin.social
    link
    fedilink
    arrow-up
    15
    ·
    edit-2
    1 year ago

    I’m sure plenty of the offenders are legitimate, but it’s completely safe to check private key pairs into code, or to bake them in to images. It entirely depends on what the key pairs are used for. Very common to include key pairs for development/test environments, for example. If it’s a production secret, of course you don’t do this.

    • andrew@lemmy.stuart.fun
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      You’re right in one sense but when you get to the last sentence your argument breaks down.

      The same type of secret should be treated the same way. The problem with treating environments different is that it builds bad habits especially for new devs who come in and see it being done in a certain way. But also, humans screw up and it’s better to just build the habit of not committing anything private outside of prod-like credential stores even if it’s not the prod instance.

      • deejay4am@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Yeah, exactly. Don’t allow it anywhere, way less chance someone forgets to remove them from the prod build.

  • Aniki 🌱🌿@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    Bad admins gonna bad. shrug

    We build all our image layers in house from a base nginx or node image. We’re moving to [scratch[(https://hub.docker.com/_/scratch/) soon to even eliminate going to Docker hub at all.

    For home stuff, I don’t super care. I’ll just update as necessary and if something happens and someone gets in, it’s just my stuff.

  • GustavoM@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    As someone who has been religiously baking my own docker images on the last 2 months…? This worries me a bit.

    Then again, I don’t know much about this in detail, but I can bindly assume that scratch-based images are not affected by this “at all”.