public inbox for [email protected]
help / color / mirror / Atom feedFrom: Kashif Zeeshan <[email protected]>
To: vrms <[email protected]>
Cc: [email protected]
Subject: Re: postgresql in docker to improve security
Date: Fri, 3 May 2024 10:17:34 +0500
Message-ID: <CAAPsdhfc45E6Fr2ftErkd+USpaNeE5K7TRd8b6PYzXCnXrx4Jg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<ME3PR01MB7362CB509A8274FBC27509AE8E182@ME3PR01MB7362.ausprd01.prod.outlook.com>
<CAAPsdhdORCqnqGeMDyWQFE3PcF54kOB6-20U7mQCZ4nheCFUhQ@mail.gmail.com>
<[email protected]>
On Fri, May 3, 2024 at 10:14 AM vrms <[email protected]> wrote:
> interesting points @Kashif.
>
> On the other hand I often, that containers are by design ephemeral and
> tend to crash. This would be a threat to data integrity (allegedly more
> then running in a VM i.e.).
>
Yes that's true, but for that we have K8 and which can automate the
recovery process.
>
> Admittedly the environment I am working in is not very open to, nor
> experienced with container-technology in general, so these claims might be
> based on hearsay and those issues might not be actual problems any more
> these days.
>
Yes I agree, the technology is changing rapidly but there are still
loopholes and what we can do is to avoid as many risks as possible as
nothing is 100% secure.
>
> Any thoughts on that?
>
>
> Also I made a mark in my mind head thad podman, by design, was just a
> little more secure then Docker. I think it was due to the fact Containers
> can run without the need of requiring root privileges for the user running
> a podman container.
>
>
>
>
> On 5/3/24 5:23 AM, Kashif Zeeshan wrote:
>
> Hi
>
> Yes docker container improves the security and following are the ways it
> does.
> 1. Isolation : When you run postgres in a container, you are isolating it
> from host os and other containers so it limits the attack surface.
> 2. Port mapping : By mapping only the necessary container port and
> allowing access only using that port limits the attack surface.
> 3. You can manage the access privileges of the users that run container
> 4. Docker containers use namespaces for process isolation and security.
>
> Regards
> Kashif Zeeshan
> Bitnine Global
>
> On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) <
> [email protected]> wrote:
>
>> Good day. This is a general db question.
>>
>>
>>
>> I start exploring containerisation and start learning docker. Would
>> having postgresql in docker improve security in the sense that users could
>> only access to the db through the port mapped to the environment outside of
>> docker, and if they somehow are able to hack and access outside the db, the
>> access is limited within the container not the OS that host the container.
>>
>>
>>
>> Thanks.
>>
>
>
>
> On 5/3/24 5:23 AM, Kashif Zeeshan wrote:
>
> Hi
>
> Yes docker container improves the security and following are the ways it
> does.
> 1. Isolation : When you run postgres in a container, you are isolating it
> from host os and other containers so it limits the attack surface.
> 2. Port mapping : By mapping only the necessary container port and
> allowing access only using that port limits the attack surface.
> 3. You can manage the access privileges of the users that run container
> 4. Docker containers use namespaces for process isolation and security.
>
> Regards
> Kashif Zeeshan
> Bitnine Global
>
> On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) <
> [email protected]> wrote:
>
>> Good day. This is a general db question.
>>
>>
>>
>> I start exploring containerisation and start learning docker. Would
>> having postgresql in docker improve security in the sense that users could
>> only access to the db through the port mapped to the environment outside of
>> docker, and if they somehow are able to hack and access outside the db, the
>> access is limited within the container not the OS that host the container.
>>
>>
>>
>> Thanks.
>>
>
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: postgresql in docker to improve security
In-Reply-To: <CAAPsdhfc45E6Fr2ftErkd+USpaNeE5K7TRd8b6PYzXCnXrx4Jg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox