Containers newbie questions

2 risposte [Ultimo contenuto]
amuza
Offline
Iscritto: 02/12/2018

I'm having a look at containers (Docker and LXC/LXD)
and have some very basic questions.

I think users normally download an image from a centralized repository to run a container
or to use it as a parent image to build a new one for a customized container.

I guess those images people download are binaries, so it all seems to need some trust.

Do you download containers?

Is there a way to verify the original author of the image (like GPG signature)?
Or authors, in the case the image has been done using parent images.

How do you trust your downloaded images?

Thank you very much!

koszkonutek
Offline
Iscritto: 03/19/2020

This trust problem is one of the the main reasons why I don't use containers :)

The quality of, say, Docker images publicly available is nowhere near the quality of software packaging in GNU/Linux distros.

Actually, I recall that Docker Hub allows everyone to upload packages, that are then available to the public. That's analogous to the problem we have with Maven, npm, PyPI, and all other monsters roaming the land of language-specific software repositories. Binaries are being uploaded by strangers and there isn't even a rule that would require uploaded software to be free (as in freedom).

As to PGP signatures on container images - idk what people practice, but if one is downloading images made by strangers, then digital signatures don't yield any benefit. What would be their purpose? To verify that an image has indeed been uploaded by a stranger?

And BTW, I once saw some analysis of one popular "pure Debian" Docker image. A guy found many differences from actual Debian in it. None of it was malicious, mostly some practical tweaks. However, I'd prefer to know what I am running.

What are possible solutions? Instead of binary container images it might be possible to find recipes online and use them build those containers from scratch.

I think Guix provides some tools for container image creation. It was mentioned on this forum. If it works, it would be a solution that is simple and secure at the same time :)

amuza
Offline
Iscritto: 02/12/2018

Thank you. Sooner or later I'll have to try Guix. It seems to solve many problems.