Docker, Linux, Security. Kinda.

This page summarizes the projects mentioned and recommended in the original post on dev.to

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • runj

    runj is an experimental, proof-of-concept OCI-compatible runtime for FreeBSD jails.

    We will be exploring some Linux features in the context of a docker application container. Another way of explaining it would be to say we will talk about how to make more secure application containers. We will not talk about firewall and apparmor because they are tools that enhance security on the host in general and not specific to a docker application container. A secure host means a more secure application container but that is discussion for another post. We will focus on Linux containers since FreeBSD containers are still experimental(see here and here). Yes, windows containers exist. We will not discuss performance. Here be performance penalties, but again that is not the focus of this post.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • busybox

    Docker Official Image packaging for Busybox (by docker-library)

    On to our second point, which is the cli utilities' implementation. Debian and Ubuntu use gnu's Coreutils while Alpine uses Busybox(remember, we are talking about the most used application container bases. You can install a desktop version of Alpine with GNU coreutils). Here we have the same situation as before, The GNU coreutils are bigger, do more and have a larger attack surface. Busybox is smaller, does not support as many features as GNU Coreutils but does support enough of them to make them useful. Needless to say, busybox is small and hence, it has a smaller attack surface.

  • distroless

    🥑 Language focused docker images, minus the operating system.

    That's how we get distroless. Distroless base images follow the same pattern as alpine base docker images, as in, less functionality while still keeping enough functionality to be able to do the job and minimize the attack surface. Minimizing a base image like this means that the base images are very specialized so we have base images for golang, python, java and the like.

  • bubblewrap

    Low-level unprivileged sandboxing tool used by Flatpak and similar projects

    As an example we will look at man 1 bwrap. Bubblewrap allows us to sandbox an application, not too dissimilar to docker. Flatpaks use bubblewrap as part of their sandbox. Bubblewrap can optionally take in a list of syscalls to filter. The filter is expressed as a BPF(Berkley Packet Filter program - remember when I said docker gives you a friendlier interface to seccomp?) program. Below is a short program that defines a BPF program that can be passed to an application using bwrap that lets us log all the sycalls the application makes to syslog.

  • Moby

    The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

    Docker allows us to do the same. We can give docker a seccomp profile to filter out the syscalls that are not required for a specific container. You can find the default docker seccomp profile here.

  • milla

    new-generation IRC bot

    We will use milla as an exmaple. It's a simple go codebase.

  • incus

    Powerful system container and virtual machine manager

    system containers using lxc/incus

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • A Very Deep Dive Into Docker Builds

    3 projects | dev.to | 25 Nov 2024
  • You're probably not vulnerable to the CUPS CVE

    1 project | news.ycombinator.com | 27 Sep 2024
  • Kubernetes vs Philippine Power Outages - On setting up k0s over Tailscale

    5 projects | dev.to | 1 Jul 2024
  • Steve Wozniak is not boring

    2 projects | news.ycombinator.com | 11 Jun 2024
  • An open framework to assemble specialized container systems

    1 project | news.ycombinator.com | 6 May 2024

Did you konow that Go is
the 4th most popular programming language
based on number of metions?