AW: postgresql in docker to improve security

"Dischner, Anton" <Anton.Dischner@xxxxxxxxxxxxxxxxxxx> · Fri, 3 May 2024 08:05:03 +0000

Hi all,

i know of an installation where virtual Servers are running under VMWare.
On a VM there is docker running which does virtualisation again.
Then there is running a kubernetes cluster.
In my eyes this is complete insane.
Configuration complexity explodes.
Resources are wasted.
Kubernetes cluster are meant do run on dozens if not hundreds of real hardware. If one failes from hardware there should be no problem.

IMHO If you do a proper installation on the OS you will need no docker, kubernetes and so on.

Look for hardening you OS if you have increased security needs.
Take this as a beginning:
https://tuxcare.com/blog/linux-system-hardening-top-10-security-tips/

Please someone correct me if there are reasons against my opinion,

Best

Von: Kashif Zeeshan <kashi.zeeshan@xxxxxxxxx>

Gesendet: Freitag, 3. Mai 2024 07:18

An: vrms <vrms@xxxxxxxxxxxxx>

Cc: pgsql-admin@xxxxxxxxxxxxxxxxxxxx

Betreff: Re: postgresql in docker to improve security

On Fri, May 3, 2024 at 10:14 AM vrms <vrms@xxxxxxxxxxxxx> wrote:

interesting points @Kashif.

On the other hand I often, that containers are by design ephemeral  and tend to crash. This would be a threat to data integrity (allegedly more then running in a VM i.e.).

Yes that's true, but for that we have K8 and which can  automate the recovery process.

Admittedly the environment I am working in is not very open to, nor experienced with container-technology in general, so these claims might be based on hearsay and those issues might not be actual problems any more these days.

Yes I agree, the technology is changing rapidly but there are still loopholes and what we can do is to avoid as many risks as possible as nothing is 100% secure. 

Any thoughts on that?

Also I made a mark in my mind head thad podman, by design, was just a little more secure then Docker. I think it was due to the fact Containers can run without the need of requiring root privileges for the user running a podman container.

On 5/3/24 5:23 AM, Kashif Zeeshan wrote:

Hi 

Yes docker container improves the security and following are the ways it does.

1. Isolation : When you run postgres in a container, you are isolating it from host os and other containers so it limits the attack surface.

2. Port mapping : By mapping only the necessary container port and allowing access only using that port limits the attack surface.

3. You can manage the access privileges of the users that run container

4. Docker containers use namespaces for process isolation and security.

Regards

Kashif Zeeshan

Bitnine Global

On Fri, May 3, 2024 at 3:44 AM Nguyen, Long (IM&T, St. Lucia) <Long.Nguyen@xxxxxxxx> wrote:

Good day. This is a general db question.

I start exploring containerisation and start learning docker.  Would having postgresql in docker improve security in the sense that
 users could only access to the db through the port mapped to the environment outside of docker, and if they somehow are able to hack and access outside the db, the access is limited within the container not the OS that host the container.

Thanks.