docker-pihole-unbound VS docker-bench-security

I'm running the chriscrowe 'one container' build for pihole for ad-blocking (https://github.com/chriscrowe/docker-pihole-unbound), and unbound for private recursive DNS which is running great on my Zima board.

I believe my problem stems from when I tried to install the pihole-unbound container (https://github.com/chriscrowe/docker-pihole-unbound)

I've got lucky enough that I could get in Nov-19 a Raspberry Pi 4 with 4GB of RAM that I use as a NAS+Pi-Hole + Unbound +Other stuff (running Void MUSL of course) and instead of an SD I use an HDD for the OS + a 5TB HDD for the data and even fully loaded all cores it barely consumes more than 22W.

I was only able to get pihole macvlan approach working with an ssh access + docker-compose approach. I used the crowe one-container approach Still had to enable Open vSwitch for the network in Synology first.

You can follow the doc to do those install steps within your own Dockerfile. Or you can use the commonly recommended chriscrowe image, which does what I’m describing.

When I started experimenting with this topic chriscrowe's was a baseline for stuff that I tryed out, so kudos to chris!

It seems you’re looking at a wrong file. Here is a docker file for one-container solution: https://github.com/chriscrowe/docker-pihole-unbound/blob/55c88afaf8d76958923adc38f4c12a80e1cb9084/one-container/pihole-unbound/Dockerfile

2) you can use something like this maintained GitHub repo. Just decide if you want to use 1 or 2 containers and modify the ip and gateways, etc accordingly.

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security

So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .

git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh

when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.

Use Docker Bench for Security to audit your container images

Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

I run https://github.com/docker/docker-bench-security against my environment. I would determine what was non-applicable/not scored and then start with scored. Then I would do not scored. My team had made their own Dockerfiles when I started and just grabbed whatever image/version and getting things baselined was not fun. I had to do this for docker-compose and stay on version 2 yml as otherwise I had to go to swarm.