[beeboobaa]

> Auditing a docker container is way more difficult/complex.

I assume you mean auditing docker images. In which case, sure. That's why you grab their dockerfile and build it yourself.

Though using dive[1] it's pretty easy to inspect docker images too, as long as they extend a base image you trust.

[1] https://github.com/wagoodman/dive

[iforgotpassword]

> That's why you grab their dockerfile and build it yourself.

Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that, finally audit the script itself that the whole container gets built for in the first place. Whereas when you just download the script and run that directly, you only need to do the last step.

[mook]

Yeah, people don't seem to actually care. The Bitnami images were quite popular, but looking inside it they all just pull random tarballs from their server, and nothing seemed to indicate where those things came from.

[beeboobaa]

All of that is the same as a shell script, yes. A dockerfile is essentially just a glorified shell script installing dependencies, which you'd otherwise just be doing yourself.

[coldtea]

>Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that

You don't need to audit anything it pulls in INSIDE the container. Who cares? Just what kind of access it gives the container to the host.

[stirfish]

This sounds like fine a way to mine Bitcoin for someone else

[coldtea]

The whole point is that you checked that the container gets no access to the network.

Not to mention why wouldn't you let a shell script container keep running?

[tomjakubowski]

You can use quotas to mitigate that risk, and monitoring to discover it. You'd be monitoring CPU usage anyway, whether or not you build your own images or write your own Dockerfiles.

[agumonkey]

oh dang, dive is really a nice tool, per layer diff and/or accumulated changes .. really nice