Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.
Beyond that, numerous escape exploits in linux containerization (and docker specifically) have popped up over the years, and many more are going to pop up over the coming years. This is not a mature space.
Running random binary code distributed from an non-curated source, even in a "container" is going to end in heartache.
And that’s why you should usually build your own images, and only trust docker images from the same people whose binaries you’d also trust with all your data.
(e.g. a docker image from RedHat may be okay, one from zhenghe8 likely not)
> Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.
Thank you. This is something that I truly hate Google for. They constantly spread this mentality that isolation = nothing bad can ever happen to your data. And then they build a horrible permission system on top of that idea and leave everything else up to the user.
And as a result, the Google Play Store and Chrome Store are the most malware-filled app stores that I'm aware of.
Despite that, you still had people giving Firefox shit for not isolating add-ons, which however were thoroughly reviewed and as a result quite clearly less often subject to malicious intents.
And then something like the Web of Trust fiasco, where the add-on as a feature sends your browsing history out to the internet and then bad things happen there (the WoT devs sold the browsing data in an anonymized form that was shown to be deanonymizable rather easily), against that neither isolation nor a review can help, so we shouldn't act like any security technique is perfect. We still need users to think for themselves, even if that's bad for Google's business model.
I have used the following image[1] on a server of my old company where we had a problem and no one with privileges was available. It gives you a root shell. I added my public key to the authorized_keys of root.
Beyond that, numerous escape exploits in linux containerization (and docker specifically) have popped up over the years, and many more are going to pop up over the coming years. This is not a mature space.
Running random binary code distributed from an non-curated source, even in a "container" is going to end in heartache.