Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I guess yes (in general), but obviously it may depend on the creator.
Sometimes some apps in the google app store are infected too, although they are tested rigorously.
I understand why Docker hub works the way it does. Personally I'd rather a git style setup with the files needed to create a given docker. That way they can be examined rather then pre built images.
Personally I just make the images myself, typically with Ubuntu or Debian.
It depends a lot on the type of image. There's a sort of hierarchy where the official images are more trustworthy than the others. Just as a matter of principle, but you probably shouldn't blindingly trust them. Ideally you'd have some scanner that would look into them. Of course the second criterion is the nunmber of downloads which offers some sort of trustfulness, but if you ask someone who works in security, he'd be appalled by that
Slightly related to what jmgibson1981 says, there are images whose Dockerfile is hard to infer/read etc., which really sucks. I think mostly because people are lazy. So you should kind of know what these images containe, have access to the Dockerfile and try to understand them as much as possible.
The distro itself is relatively safe regardless. The base images to my knowledge are available from the official creators a given distro. What can get questionable is what is built into the docker during creation. Maybe I'm just paranoid, I don't know. But I like to know exactly what I'm adding to my Debian, Ubuntu, Alpine, whatever. Even though it's somewhat contained it is possible to add in a small illicit script or program that could cause some kind of damage, or more likely become a bot that will raise hell on the internet somewhere. Again... maybe I'm just paranoid.
This is the Dockerfile for my mythtv backend. Notice the script it goes and downloads on build. Without the Docker file you would probably never even know that script was there unless you stumbled on it. In this case it's part of the mythtv stuff. But it could just as easily be something nefarious or whatever. And you would never know.
My entrypoint activates a crontab inside the docker to run that script every week. Again without these files you would never know that was going on unless you checked manually, or even less likely accidentally stumbled on it being there and active.
*EDIT* Ultimately for my part, Dockerhub is a good place to pull and examine images. But it's no safer than closed source software as far as I'm concerned only because it's not very transparent with what is in a given image. I love Docker, pretty sure it's open source. But sadly there is no way to be sure of a given container's status and I treat them with caution. I'm not an open source zealout. I like and use some closed stuff, mainly games. But I try to avoid it where possible.
Last edited by jmgibson1981; 08-28-2022 at 01:03 PM.
Sure. I can give you a checksum of my docker image i guess. But that doesn't tell you what is inside that docker image. that is the point im making. without ready access to the build files a checksum is relatively meaningless, especially if it's from a random person on the internet and not from a known somewhat trusted distributor like Oracle, Canonical, Debian, MariaDB people, any of the bigger ones.
Basically for my part getting random images that aren't from a trusted distributor on dockerhub, aka made by people like me is dangerous because htere is no reason to trust what may or may not be inside it. Unless you plan on digging into them manually it's not much different thatn downloading a regular .msi or .exe for Windows from nonamewebsite.com
Sure. I can give you a checksum of my docker image i guess. But that doesn't tell you what is inside that docker image. that is the point im making. without ready access to the build files a checksum is relatively meaningless, especially if it's from a random person on the internet and not from a known somewhat trusted distributor like Oracle, Canonical, Debian, MariaDB people, any of the bigger ones.
Basically for my part getting random images that aren't from a trusted distributor on dockerhub, aka made by people like me is dangerous because htere is no reason to trust what may or may not be inside it. Unless you plan on digging into them manually it's not much different thatn downloading a regular .msi or .exe for Windows from nonamewebsite.com
A very helpful answer.
I'm not going to give up on docker just yet because there may be docker's images that are safe if created by trusted vendors you had mentioned above. I just have to be diligent in my decision to use one or not.
I will probably just download the base distro image only and build from there.
Quote:
Originally Posted by vincix
GPG is used to check the repository packages.
I mean to say gpg signature. Linux mint supports both ways of verifying an image with checksums and gpg signatures. The later one requires you import linix mint's public key.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.