undefined | Better HN

0 pointsDiabloD37mo ago0 comments

Docker images are built with binaries that have unpatched security bugs. They will continue to have them because the people building them do not care and do not understand how to actually build images.

If you build the images, and you either source binaries from a clean source or build them yourself, then your images might actually be sane. People and companies can automate this, and some do as part of their orchestration strategy.

Most people want the promise of Docker but don't want to have to actually learn how to orchestrate, and shoot themselves in the foot with images they got from some random dude on DockerHub, and no matter how much people try to educate them it just never sinks in.

0 comments

cortesoft7mo ago

Ok, but that seems different than:

> Every single package, every single dependency, that has an actively exploited security flaw is being exploited in the Docker images you're using

This says that every exploit in a docker image you use IS BEING exploited, not that it COULD BE exploited.

benterix7mo ago

But you are aware that most orgs do scan images, right? It's like Docker 101.

DiabloD3OP7mo ago

Haha, some do, and then don't know what they're looking for.

Companies getting pwned because of Docker image hygiene issues should never make it to the HN front page.

They still do.

If your system does not involve an automatic CI loop of "new package/upstream source code/somebody else's Docker image (yuck)" -> "testing" -> "some sort of staged rollout to prod", then do not use Docker. If you are doing this, then you have better choices than Docker.

Fun fact: From Kubernetes, I can orchestrate actual VMs that startup faster, use less resources, and use my CPU's hardware virtualization instructions and, on top of that all, offer a Docker-compatible API to interface with legacy tools!

It's called Firecracker. Its KVM, underneath, the only tech I'm willing to use, after having used everything. Everyone gets to have their ridiculously overcomplex APIs, I get to have my actually working VMs.

jeroenhd7mo ago

Some orgs definitely scan images! I wouldn't say most, though.

j / k navigate · click thread line to collapse