Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1s2jW2-005YNj-Jv
	for pgsql-admin@arkaria.postgresql.org; Fri, 03 May 2024 03:23:18 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1s2jVz-005PEc-Dm
	for pgsql-admin@arkaria.postgresql.org; Fri, 03 May 2024 03:23:16 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <kashi.zeeshan@gmail.com>)
	id 1s2jVz-005PEU-14
	for pgsql-admin@lists.postgresql.org; Fri, 03 May 2024 03:23:15 +0000
Received: from mail-vs1-xe2c.google.com ([2607:f8b0:4864:20::e2c])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <kashi.zeeshan@gmail.com>)
	id 1s2jVx-001B5d-F3
	for pgsql-admin@lists.postgresql.org; Fri, 03 May 2024 03:23:14 +0000
Received: by mail-vs1-xe2c.google.com with SMTP id
 ada2fe7eead31-47bfea1df1dso3229472137.0
        for <pgsql-admin@lists.postgresql.org>;
 Thu, 02 May 2024 20:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1714706592; x=1715311392;
 darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=QoklHYrvXtcK/cfMgD+VAmMRmJnNTkKXm7UkQWomLbs=;
        b=SGCPDQOaBPOFPH/vKawE229Wnvx9TtiWODckb2Qjyq9minpGG7I2sYoWgpIp5MDmyE
         biz5P6UAnJFH/0d4lUn0xISArjCzDbFi1OQ71YlG+fGJsyLpWs4xYwdzzPtfWG+lcTX9
         pAqI7wZSJAfgOmqu+QH0OZtBdBHi4NqsbgDvVuBhDXqa+ZZHp1cOoDvr/73DjSbCOSrk
         XU+gJG7xe2k1nP59hc9wyl48vJfHj8iOalZbMDBjz5jbsZlQ98+2iPjfyYI8fsCQ6Bx8
         oWDK/IGFz336hvEldhIJIOcpr0t98xZeTq1h7VdWOsr1adYvs0fbGFiyjs7yCK7ZoDlW
         mCkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714706592; x=1715311392;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QoklHYrvXtcK/cfMgD+VAmMRmJnNTkKXm7UkQWomLbs=;
        b=qfO0Gj1Ag4VSaPAOrshG1AhYjLCKiu11QKdjn5yJVBA8lu9hSd97VpI4WITHQvOKFF
         iron34ZcfqaesyKGGO7/Y063sG5RqziEQXZXCrXojDw3+1unUepWTBsVPu4clxEHkhx+
         hYS1JatsO0sOAHChjsxBrJnEL71h3P44L8PUSH6TCgvGGo6ucdWZk2QnDPsSk5ZB7kQ9
         jD8DycgjmxAU9dNx+isSaaTxF7G9YDIwbWxPDmbiWWRVycfLPZyatonCDRlI+KmkAYIz
         X0+7JvShMbu/SOYNRLe36jNIWZH27bC0T/4iSdVoqwXw+hFDHb1yuNhMgFFUBBcpjZTu
         8cFA==
X-Gm-Message-State: AOJu0YxmKqKOmcprRAQSRjXVdjkSfcZwo9qu4gSLti6shbyH54kriTwG
	9zBbqO8DQ0mvTMf9bxpFK9JoJ8w9rbx9yE+6TSIV6rXZHlnDpsoNWBrNyJb59BoF1Ll/tIBRWRD
	UqlctJClU9ZDh8c2ysvMGfP9Hz5M=
X-Google-Smtp-Source: 
 AGHT+IFWJ/sVXjOKqM8+x5tiF0ZnEbEUp/QuCfLyhHgZjD3+ZdpfHr5ARr6mngtOE8skCtdHI5Ixq56gpYRDi6JRMoQ=
X-Received: by 2002:a05:6102:9aa:b0:47e:f50a:ed5 with SMTP id
 f10-20020a05610209aa00b0047ef50a0ed5mr1713868vsb.27.1714706592591; Thu, 02
 May 2024 20:23:12 -0700 (PDT)
MIME-Version: 1.0
References: <F669A04E-CF43-4A07-B4C9-7A210CEAF19E@adcubum.com>
 <ME3PR01MB7362CB509A8274FBC27509AE8E182@ME3PR01MB7362.ausprd01.prod.outlook.com>
In-Reply-To: 
 <ME3PR01MB7362CB509A8274FBC27509AE8E182@ME3PR01MB7362.ausprd01.prod.outlook.com>
From: Kashif Zeeshan <kashi.zeeshan@gmail.com>
Date: Fri, 3 May 2024 08:23:01 +0500
Message-ID: 
 <CAAPsdhdORCqnqGeMDyWQFE3PcF54kOB6-20U7mQCZ4nheCFUhQ@mail.gmail.com>
Subject: Re: postgresql in docker to improve security
To: "Nguyen, Long (IM&T, St. Lucia)" <Long.Nguyen@csiro.au>
Cc: "pgsql-admin@lists.postgresql.org" <pgsql-admin@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000005876f00617843dff"
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/CAAPsdhdORCqnqGeMDyWQFE3PcF54kOB6-20U7mQCZ4nheCFUhQ%40mail.gmail.com>
Precedence: bulk

--0000000000005876f00617843dff
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

Yes docker container improves the security and following are the ways it
does.
1. Isolation : When you run postgres in a container, you are isolating it
from host os and other containers so it limits the attack surface.
2. Port mapping : By mapping only the necessary container port and allowing
access only using that port limits the attack surface.
3. You can manage the access privileges of the users that run container
4. Docker containers use namespaces for process isolation and security.

Regards
Kashif Zeeshan
Bitnine Global

On Fri, May 3, 2024 at 3:44=E2=80=AFAM Nguyen, Long (IM&T, St. Lucia) <
Long.Nguyen@csiro.au> wrote:

> Good day. This is a general db question.
>
>
>
> I start exploring containerisation and start learning docker.  Would
> having postgresql in docker improve security in the sense that users coul=
d
> only access to the db through the port mapped to the environment outside =
of
> docker, and if they somehow are able to hack and access outside the db, t=
he
> access is limited within the container not the OS that host the container=
.
>
>
>
> Thanks.
>

--0000000000005876f00617843dff
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi<div><br></div><div>Yes docker=C2=A0container=C2=A0impro=
ves the security and following are the ways it does.</div><div>1. Isolation=
 : When you run postgres in a container, you are isolating it from host os =
and other containers so it limits the attack surface.</div><div>2. Port map=
ping : By mapping only the necessary container port and allowing access onl=
y using that port limits the attack=C2=A0surface.</div><div>3. You can mana=
ge the access privileges=C2=A0of the users that run container</div><div>4. =
Docker containers use namespaces for process isolation=C2=A0and security.</=
div><div><br></div><div>Regards</div><div>Kashif Zeeshan</div><div>Bitnine =
Global</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">On Fri, May 3, 2024 at 3:44=E2=80=AFAM Nguyen, Long (IM&amp;T, =
St. Lucia) &lt;<a href=3D"mailto:Long.Nguyen@csiro.au">Long.Nguyen@csiro.au=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
<div class=3D"msg-4187414495819913515">





<div lang=3D"EN-AU" style=3D"overflow-wrap: break-word;">
<div class=3D"m_-4187414495819913515WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-family:Aptos,sans-serif">Good da=
y. This is a general db question.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:Aptos,sans-serif"><u></u>=
=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:Aptos,sans-serif">I start=
 exploring containerisation and start learning docker.=C2=A0 Would having p=
ostgresql in docker improve security in the sense that users could only acc=
ess to the db through the port mapped to
 the environment outside of docker, and if they somehow are able to hack an=
d access outside the db, the access is limited within the container not the=
 OS that host the container.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:Aptos,sans-serif"><u></u>=
=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:Aptos,sans-serif">Thanks.=
<u></u><u></u></span></p>
</div>
</div>

</div></blockquote></div>

--0000000000005876f00617843dff--