re: Docker: Restricting in- and outbound network traffic VIEW POST

re: First of all, I don't like the tone of your comments. There is no need for being harsh when arguing from a different perspective and (especially) w...

I read your blog carefully and understood your approach completely.

You violated the principle of least privilege( You really don't have to keep root permission in Dockerfile and add an option --privileged during container launching to impose firewall rule by iptables. It is completely unnecessary.

The better way is to add your firewall rules in the host to DOCKER-USER chain. BTW, only root in the host can modify firewall rule. It is secured. No one in docker group can modify the rule.

If you can do it in the host, why do you want to keep root and privileged option in container? Don't you think you violated PoLP?

Regarding my comment style, it might be harsh. Should I have to be political correct to say "hey, you might overlook xyz in your approach." Probably not. I think it is better this way: if it is wrong, just say it is wrong and correct it. Why do we have to sugarcoat everything we say and self-censor ourselves?

[...] my colleague called me calm down.

As your colleague told you as well: calm down and then reconsider my described use case (portable runtime environment, etc.).

The aspired direction of your discussion style is toxic and I'm not interested in being part of it.

Again, I'm open for a healthy debate, but your style of writing doesn't fulfill this requirement.

Have a nice day.

code of conduct - report abuse