Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s2lFY-005prK-K7 for pgsql-admin@arkaria.postgresql.org; Fri, 03 May 2024 05:14:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s2lFU-005xCa-12 for pgsql-admin@arkaria.postgresql.org; Fri, 03 May 2024 05:14:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s2lFT-005xCS-LQ for pgsql-admin@lists.postgresql.org; Fri, 03 May 2024 05:14:20 +0000 Received: from cc-smtpout3.netcologne.de ([2001:4dd0:100:1062:25:2:0:3]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s2lFS-001HxE-5c for pgsql-admin@lists.postgresql.org; Fri, 03 May 2024 05:14:19 +0000 Received: from cc-smtpin1.netcologne.de (cc-smtpin1.netcologne.de [89.1.8.201]) by cc-smtpout3.netcologne.de (Postfix) with ESMTP id 0F4FF125DD for ; Fri, 3 May 2024 07:14:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netcologne.de; s=nc1116a; t=1714713257; bh=aV3Pod2U8jM/3DBiVjIP26qq+y+VMe+41jg3herVc1I=; h=Message-ID:Date:Subject:To:References:From:In-Reply-To:From; b=V1Iodn5ZU2Kxn5ofdzUUDNDxYiv16Xltsam8zThBifYk4Q4LoV6gFSgUobwpTPMPW cr+VeD59Q3BrjjiM2GoRgnI7ClL7uc6q4quuHqoOsI/4hvM7EbnWFh4MEYHml4FgZi xXAL5IsmG9Hge4jL5uOV/gd5SVOi9SjmO3FXE/GM/IDtzCeVfEGhDFdpdCamY/Q2bV o9VDLs4RapARBt3VOlwm7l2Sp9Bxulq91ys1rI+HOj1t+KE8Te3lOH7qjVbIhmgJSq jw0Vfk6UjVmzocjHNkuBoQsiJgGg/aakUm3RQaqRu+Pd4wQ5d6x7qqm7G+PdNEFNbO RBYJ0dGBFVR0w== Received: from [IPV6:2a03:b580:aa3a:2401:d929:6407:7eba:db37] (unknown [IPv6:2a03:b580:aa3a:2401:d929:6407:7eba:db37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by cc-smtpin1.netcologne.de (Postfix) with ESMTPSA id D18DF11DF2 for ; Fri, 3 May 2024 07:14:16 +0200 (CEST) Content-Type: multipart/alternative; boundary="------------QrziNHphSbJOYfhK3uhZWext" Message-ID: Date: Fri, 3 May 2024 07:14:57 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: postgresql in docker to improve security To: pgsql-admin@lists.postgresql.org References: Content-Language: en-US From: vrms In-Reply-To: X-NetCologne-Spam: L X-Rspamd-Queue-Id: D18DF11DF2 X-Spamd-Bar: ---- X-Rspamd-Action: no action List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------QrziNHphSbJOYfhK3uhZWext Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit interesting points @Kashif. On the other hand I often, that containers are by design ephemeral  and tend to crash. This would be a threat to data integrity (allegedly more then running in a VM i.e.). Admittedly the environment I am working in is not very open to, nor experienced with container-technology in general, so these claims might be based on hearsay and those issues might not be actual problems any more these days. Any thoughts on that? Also I made a mark in my mind head thad podman, by design, was just a little more secure then Docker. I think it was due to the fact Containers can run without the need of requiring root privileges for the user running a podman container. On 5/3/24 5:23 AM, Kashif Zeeshan wrote: > Hi > > Yes docker container improves the security and following are the ways > it does. > 1. Isolation : When you run postgres in a container, you are isolating > it from host os and other containers so it limits the attack surface. > 2. Port mapping : By mapping only the necessary container port and > allowing access only using that port limits the attack surface. > 3. You can manage the access privileges of the users that run container > 4. Docker containers use namespaces for process isolation and security. > > Regards > Kashif Zeeshan > Bitnine Global > > On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) > wrote: > > Good day. This is a general db question. > > I start exploring containerisation and start learning docker.  > Would having postgresql in docker improve security in the sense > that users could only access to the db through the port mapped to > the environment outside of docker, and if they somehow are able to > hack and access outside the db, the access is limited within the > container not the OS that host the container. > > Thanks. > On 5/3/24 5:23 AM, Kashif Zeeshan wrote: > Hi > > Yes docker container improves the security and following are the ways > it does. > 1. Isolation : When you run postgres in a container, you are isolating > it from host os and other containers so it limits the attack surface. > 2. Port mapping : By mapping only the necessary container port and > allowing access only using that port limits the attack surface. > 3. You can manage the access privileges of the users that run container > 4. Docker containers use namespaces for process isolation and security. > > Regards > Kashif Zeeshan > Bitnine Global > > On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) > wrote: > > Good day. This is a general db question. > > I start exploring containerisation and start learning docker.  > Would having postgresql in docker improve security in the sense > that users could only access to the db through the port mapped to > the environment outside of docker, and if they somehow are able to > hack and access outside the db, the access is limited within the > container not the OS that host the container. > > Thanks. > --------------QrziNHphSbJOYfhK3uhZWext Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
interesting points @Kashif.

On the other hand I often, that containers are by design ephemeral  and tend to crash. This would be a threat to data integrity (allegedly more then running in a VM i.e.).

Admittedly the environment I am working in is not very open to, nor experienced with container-technology in general, so these claims might be based on hearsay and those issues might not be actual problems any more these days.

Any thoughts on that?


Also I made a mark in my mind head thad podman, by design, was just a little more secure then Docker. I think it was due to the fact Containers can run without the need of requiring root privileges for the user running a podman container.




On 5/3/24 5:23 AM, Kashif Zeeshan wrote:
Hi

Yes docker container improves the security and following are the ways it does.
1. Isolation : When you run postgres in a container, you are isolating it from host os and other containers so it limits the attack surface.
2. Port mapping : By mapping only the necessary container port and allowing access only using that port limits the attack surface.
3. You can manage the access privileges of the users that run container
4. Docker containers use namespaces for process isolation and security.

Regards
Kashif Zeeshan
Bitnine Global

On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) <Long.Nguyen@csiro.au> wrote:

Good day. This is a general db question.

 

I start exploring containerisation and start learning docker.  Would having postgresql in docker improve security in the sense that users could only access to the db through the port mapped to the environment outside of docker, and if they somehow are able to hack and access outside the db, the access is limited within the container not the OS that host the container.

 

Thanks.




On 5/3/24 5:23 AM, Kashif Zeeshan wrote:
Hi

Yes docker container improves the security and following are the ways it does.
1. Isolation : When you run postgres in a container, you are isolating it from host os and other containers so it limits the attack surface.
2. Port mapping : By mapping only the necessary container port and allowing access only using that port limits the attack surface.
3. You can manage the access privileges of the users that run container
4. Docker containers use namespaces for process isolation and security.

Regards
Kashif Zeeshan
Bitnine Global

On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) <Long.Nguyen@csiro.au> wrote:

Good day. This is a general db question.

 

I start exploring containerisation and start learning docker.  Would having postgresql in docker improve security in the sense that users could only access to the db through the port mapped to the environment outside of docker, and if they somehow are able to hack and access outside the db, the access is limited within the container not the OS that host the container.

 

Thanks.

--------------QrziNHphSbJOYfhK3uhZWext--