Hi

I remember reading a long time ago that a certain snap package had malware.

Are docker images scan for malware before being accepted to the docker hub repo?

Thanks

I guess yes (in general), but obviously it may depend on the creator.
Sometimes some apps in the google app store are infected too, although they are tested rigorously.

1 members found this post helpful.

I understand why Docker hub works the way it does. Personally I'd rather a git style setup with the files needed to create a given docker. That way they can be examined rather then pre built images.

Personally I just make the images myself, typically with Ubuntu or Debian.

2 members found this post helpful.

It depends a lot on the type of image. There's a sort of hierarchy where the official images are more trustworthy than the others. Just as a matter of principle, but you probably shouldn't blindingly trust them. Ideally you'd have some scanner that would look into them. Of course the second criterion is the nunmber of downloads which offers some sort of trustfulness, but if you ask someone who works in security, he'd be appalled by that

Slightly related to what jmgibson1981 says, there are images whose Dockerfile is hard to infer/read etc., which really sucks. I think mostly because people are lazy. So you should kind of know what these images containe, have access to the Dockerfile and try to understand them as much as possible.

1 members found this post helpful.

Thanks guys for your helpful answers. I clicked yes to all of you to increase your reputations.

@jmgibson1981

Does this mean that a base image of a distro is much better and maybe more secure than a image built already with services and applications?

Anyone can answer this question if they know.

BTW, this question is for all. Do you use docker or some some other type of VM? I currently use qemu/kvm.

The distro itself is relatively safe regardless. The base images to my knowledge are available from the official creators a given distro. What can get questionable is what is built into the docker during creation. Maybe I'm just paranoid, I don't know. But I like to know exactly what I'm adding to my Debian, Ubuntu, Alpine, whatever. Even though it's somewhat contained it is possible to add in a small illicit script or program that could cause some kind of damage, or more likely become a bot that will raise hell on the internet somewhere. Again... maybe I'm just paranoid.

https://gitlab.com/jmgibson1981/home...htv/Dockerfile

This is the Dockerfile for my mythtv backend. Notice the script it goes and downloads on build. Without the Docker file you would probably never even know that script was there unless you stumbled on it. In this case it's part of the mythtv stuff. But it could just as easily be something nefarious or whatever. And you would never know.

https://gitlab.com/jmgibson1981/home.../entrypoint.sh

My entrypoint activates a crontab inside the docker to run that script every week. Again without these files you would never know that was going on unless you checked manually, or even less likely accidentally stumbled on it being there and active.

*EDIT* Ultimately for my part, Dockerhub is a good place to pull and examine images. But it's no safer than closed source software as far as I'm concerned only because it's not very transparent with what is in a given image. I love Docker, pretty sure it's open source. But sadly there is no way to be sure of a given container's status and I treat them with caution. I'm not an open source zealout. I like and use some closed stuff, mainly games. But I try to avoid it where possible.

@ jmgibson1981

I appreciate the extra info. Thanks

I will stick to iso files. I can at least be assure it's safer because the large distros will have gpg keys to verifiy the images.

Don't you mean checksums though? Checksums exist for docker images too. GPG is used to check the repository packages.

Sure. I can give you a checksum of my docker image i guess. But that doesn't tell you what is inside that docker image. that is the point im making. without ready access to the build files a checksum is relatively meaningless, especially if it's from a random person on the internet and not from a known somewhat trusted distributor like Oracle, Canonical, Debian, MariaDB people, any of the bigger ones.

Basically for my part getting random images that aren't from a trusted distributor on dockerhub, aka made by people like me is dangerous because htere is no reason to trust what may or may not be inside it. Unless you plan on digging into them manually it's not much different thatn downloading a regular .msi or .exe for Windows from nonamewebsite.com

2 members found this post helpful.

I was just clearing up a confusion that geeko was making, really...

ClearLinux OS even warns you that there could be an issue.

A very helpful answer.

I'm not going to give up on docker just yet because there may be docker's images that are safe if created by trusted vendors you had mentioned above. I just have to be diligent in my decision to use one or not.

I will probably just download the base distro image only and build from there.


I mean to say gpg signature. Linux mint supports both ways of verifying an image with checksums and gpg signatures. The later one requires you import linix mint's public key.