Symfony Profiler

null

Proxies\__CG__\App\Entity\Entry {#1740
  +user: Proxies\__CG__\App\Entity\User {#2372 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-do-I-create-a-docker-container-with-custom-programs"
  +title: "How do I create a docker container with custom programs inside?"
  +url: null
  +body: """
    Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
    \n
    any tips/something already done?  \n
    thanks in advance!\n
    \n
    EDIT: probably crazy idea, but would it be possible to do this in gluetun?
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 11
  +favouriteCount: 30
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1728784342 {#2460
    date: 2024-10-13 03:52:22.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2140 …}
  +votes: Doctrine\ORM\PersistentCollection {#2094 …}
  +reports: Doctrine\ORM\PersistentCollection {#2090 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
  +badges: Doctrine\ORM\PersistentCollection {#2335 …}
  +children: [
    App\Entity\EntryComment {#1741
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1740 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 7
      +score: 0
      +lastActive: DateTime @1706207127 {#1717
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@tubbadu@lemmy.kde.social"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1707 …}
      +nested: Doctrine\ORM\PersistentCollection {#2464 …}
      +votes: Doctrine\ORM\PersistentCollection {#2448 …}
      +reports: Doctrine\ORM\PersistentCollection {#2447 …}
      +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
      +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
      -id: 339958
      -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/7007733"
      +editedAt: null
      +createdAt: DateTimeImmutable @1706207127 {#1739
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +"title": 339958
    }
  ]
  -id: 33027
  -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
  -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1706287054
  +visibility: "visible             "
  +apId: "https://lemmy.kde.social/post/722914"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706200654 {#2360
    date: 2024-01-25 17:37:34.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1740
  +user: Proxies\__CG__\App\Entity\User {#2372 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-do-I-create-a-docker-container-with-custom-programs"
  +title: "How do I create a docker container with custom programs inside?"
  +url: null
  +body: """
    Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
    \n
    any tips/something already done?  \n
    thanks in advance!\n
    \n
    EDIT: probably crazy idea, but would it be possible to do this in gluetun?
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 11
  +favouriteCount: 30
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1728784342 {#2460
    date: 2024-10-13 03:52:22.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2140 …}
  +votes: Doctrine\ORM\PersistentCollection {#2094 …}
  +reports: Doctrine\ORM\PersistentCollection {#2090 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
  +badges: Doctrine\ORM\PersistentCollection {#2335 …}
  +children: [
    App\Entity\EntryComment {#1741
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1740 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 7
      +score: 0
      +lastActive: DateTime @1706207127 {#1717
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@tubbadu@lemmy.kde.social"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1707 …}
      +nested: Doctrine\ORM\PersistentCollection {#2464 …}
      +votes: Doctrine\ORM\PersistentCollection {#2448 …}
      +reports: Doctrine\ORM\PersistentCollection {#2447 …}
      +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
      +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
      -id: 339958
      -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/7007733"
      +editedAt: null
      +createdAt: DateTimeImmutable @1706207127 {#1739
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +"title": 339958
    }
  ]
  -id: 33027
  -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
  -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1706287054
  +visibility: "visible             "
  +apId: "https://lemmy.kde.social/post/722914"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706200654 {#2360
    date: 2024-01-25 17:37:34.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1740
  +user: Proxies\__CG__\App\Entity\User {#2372 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-do-I-create-a-docker-container-with-custom-programs"
  +title: "How do I create a docker container with custom programs inside?"
  +url: null
  +body: """
    Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
    \n
    any tips/something already done?  \n
    thanks in advance!\n
    \n
    EDIT: probably crazy idea, but would it be possible to do this in gluetun?
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 11
  +favouriteCount: 30
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1728784342 {#2460
    date: 2024-10-13 03:52:22.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2140 …}
  +votes: Doctrine\ORM\PersistentCollection {#2094 …}
  +reports: Doctrine\ORM\PersistentCollection {#2090 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
  +badges: Doctrine\ORM\PersistentCollection {#2335 …}
  +children: [
    App\Entity\EntryComment {#1741
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1740 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 7
      +score: 0
      +lastActive: DateTime @1706207127 {#1717
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@tubbadu@lemmy.kde.social"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1707 …}
      +nested: Doctrine\ORM\PersistentCollection {#2464 …}
      +votes: Doctrine\ORM\PersistentCollection {#2448 …}
      +reports: Doctrine\ORM\PersistentCollection {#2447 …}
      +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
      +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
      -id: 339958
      -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/7007733"
      +editedAt: null
      +createdAt: DateTimeImmutable @1706207127 {#1739
        date: 2024-01-25 19:25:27.0 +01:00
      }
      +"title": 339958
    }
  ]
  -id: 33027
  -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
  -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1706287054
  +visibility: "visible             "
  +apId: "https://lemmy.kde.social/post/722914"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706200654 {#2360
    date: 2024-01-25 17:37:34.0 +01:00
  }
  +__isInitialized__: true
   …2
}

null

App\Entity\EntryComment {#1741
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1740
    +user: Proxies\__CG__\App\Entity\User {#2372 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-do-I-create-a-docker-container-with-custom-programs"
    +title: "How do I create a docker container with custom programs inside?"
    +url: null
    +body: """
      Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
      \n
      any tips/something already done?  \n
      thanks in advance!\n
      \n
      EDIT: probably crazy idea, but would it be possible to do this in gluetun?
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 11
    +favouriteCount: 30
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1728784342 {#2460
      date: 2024-10-13 03:52:22.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2140 …}
    +votes: Doctrine\ORM\PersistentCollection {#2094 …}
    +reports: Doctrine\ORM\PersistentCollection {#2090 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
    +badges: Doctrine\ORM\PersistentCollection {#2335 …}
    +children: [
      App\Entity\EntryComment {#1741}
    ]
    -id: 33027
    -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
    -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1706287054
    +visibility: "visible             "
    +apId: "https://lemmy.kde.social/post/722914"
    +editedAt: null
    +createdAt: DateTimeImmutable @1706200654 {#2360
      date: 2024-01-25 17:37:34.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 7
  +score: 0
  +lastActive: DateTime @1706207127 {#1717
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@tubbadu@lemmy.kde.social"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1707 …}
  +nested: Doctrine\ORM\PersistentCollection {#2464 …}
  +votes: Doctrine\ORM\PersistentCollection {#2448 …}
  +reports: Doctrine\ORM\PersistentCollection {#2447 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
  -id: 339958
  -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/7007733"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706207127 {#1739
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +"title": 339958
}

App\Entity\EntryComment {#1741
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1740
    +user: Proxies\__CG__\App\Entity\User {#2372 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-do-I-create-a-docker-container-with-custom-programs"
    +title: "How do I create a docker container with custom programs inside?"
    +url: null
    +body: """
      Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
      \n
      any tips/something already done?  \n
      thanks in advance!\n
      \n
      EDIT: probably crazy idea, but would it be possible to do this in gluetun?
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 11
    +favouriteCount: 30
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1728784342 {#2460
      date: 2024-10-13 03:52:22.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2140 …}
    +votes: Doctrine\ORM\PersistentCollection {#2094 …}
    +reports: Doctrine\ORM\PersistentCollection {#2090 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
    +badges: Doctrine\ORM\PersistentCollection {#2335 …}
    +children: [
      App\Entity\EntryComment {#1741}
    ]
    -id: 33027
    -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
    -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1706287054
    +visibility: "visible             "
    +apId: "https://lemmy.kde.social/post/722914"
    +editedAt: null
    +createdAt: DateTimeImmutable @1706200654 {#2360
      date: 2024-01-25 17:37:34.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 7
  +score: 0
  +lastActive: DateTime @1706207127 {#1717
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@tubbadu@lemmy.kde.social"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1707 …}
  +nested: Doctrine\ORM\PersistentCollection {#2464 …}
  +votes: Doctrine\ORM\PersistentCollection {#2448 …}
  +reports: Doctrine\ORM\PersistentCollection {#2447 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
  -id: 339958
  -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/7007733"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706207127 {#1739
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +"title": 339958
}

App\Entity\EntryComment {#1741
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1740
    +user: Proxies\__CG__\App\Entity\User {#2372 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-do-I-create-a-docker-container-with-custom-programs"
    +title: "How do I create a docker container with custom programs inside?"
    +url: null
    +body: """
      Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I’d like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I’d also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the “expose the network interface” and the “do not expose it if not connected” (this last part I think is pretty easy with a basic firewall configuration)\n
      \n
      any tips/something already done?  \n
      thanks in advance!\n
      \n
      EDIT: probably crazy idea, but would it be possible to do this in gluetun?
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 11
    +favouriteCount: 30
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1728784342 {#2460
      date: 2024-10-13 03:52:22.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2140 …}
    +votes: Doctrine\ORM\PersistentCollection {#2094 …}
    +reports: Doctrine\ORM\PersistentCollection {#2090 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2327 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2328 …}
    +badges: Doctrine\ORM\PersistentCollection {#2335 …}
    +children: [
      App\Entity\EntryComment {#1741}
    ]
    -id: 33027
    -titleTs: "'contain':7 'creat':4 'custom':9 'docker':6 'insid':11 'program':10"
    -bodyTs: "'account':6 'advanc':153 'alreadi':98,149 'also':72 'basic':144 'client':41,56,107 'complex':96 'compos':20 'configur':35,146 'connect':133 'contain':21,50,64 'crazi':156 'creat':47 'd':43,71 'docker':19,49,63 'done':150 'easi':90,141 'easy-medium':89 'edit':154 'enabl':109 'expos':59,121,129 'firewal':145 'free':5,23 'give':27 'gluetun':66,167 'hard':92 'hello':1 'hide.me':8,55 'idea':157 'implement':75 'insid':57 'instal':103 'instanc':69 'interfac':124 'ip':84 'key':30 'killswitch':77 'last':135 'leakag':85 'like':11,44,65,73,80 'medium':91 'miss':119 'network':123 'offici':40,54 'openvpn':32 'part':136 'plan':24 'possibl':162 'pretti':140 'prevent':83 'probabl':155 'run':52,105,114 'script':101 'someth':79,88,94 'startup':116 'thank':151 'think':138 'tips/something':148 'tri':13 'use':15 'vpn':110 'wireguard':34 'would':10,159"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1706287054
    +visibility: "visible             "
    +apId: "https://lemmy.kde.social/post/722914"
    +editedAt: null
    +createdAt: DateTimeImmutable @1706200654 {#2360
      date: 2024-01-25 17:37:34.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: "Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the ‘VPN’ container (for example running them with unshare). However, I wouldn’t recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it’s feasible."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 7
  +score: 0
  +lastActive: DateTime @1706207127 {#1717
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@tubbadu@lemmy.kde.social"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1707 …}
  +nested: Doctrine\ORM\PersistentCollection {#2464 …}
  +votes: Doctrine\ORM\PersistentCollection {#2448 …}
  +reports: Doctrine\ORM\PersistentCollection {#2447 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2462 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2461 …}
  -id: 339958
  -bodyTs: "'case':89 'cli':15 'compos':31 'contain':2,26,38,48,59,73 'creat':17 'default':4 'docker':14,30 'docker-compos':29 'exampl':61 'feasibl':95 'howev':66 'insid':52 'isol':79 'kind':85 'most':78 'namespac':10,55 'network':9,19,45,54 'outsid':37 'process':36 'recommend':70 'run':5,50,62,77 'separ':8 'share':23 'specif':18 'still':41 'suppos':75 'technic':34,92 'unshar':65 'use':13,28,42,88 'use-cas':87 'vpn':58 'workload':80 'wouldn':68 'yeah':91"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/7007733"
  +editedAt: null
  +createdAt: DateTimeImmutable @1706207127 {#1739
    date: 2024-01-25 19:25:27.0 +01:00
  }
  +"title": 339958
}

null

Proxies\__CG__\App\Entity\Entry {#1626
  +user: Proxies\__CG__\App\Entity\User {#2338 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
  +title: "How to secure (podman or docker) containers for public-facing hosting?"
  +url: null
  +body: """
    Context\n
    -------\n
    \n
    I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
    \n
    Requirements\n
    ------------\n
    \n
    I want to run applications within containers such that they\n
    \n
    - Must not be able to interfere with applications running on host\n
    - Must not be able to interfere with other containers or applications inside them\n
    - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
    \n
    > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
    \n
    What I found so far\n
    -------------------\n
    \n
    - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
    - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
    - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
    \n
    Alternative solution\n
    --------------------\n
    \n
    I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 21
  +favouriteCount: 83
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1719138740 {#2337
    date: 2024-06-23 12:32:20.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2159 …}
  +votes: Doctrine\ORM\PersistentCollection {#2074 …}
  +reports: Doctrine\ORM\PersistentCollection {#2071 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
  +badges: Doctrine\ORM\PersistentCollection {#2056 …}
  +children: [
    1 => App\Entity\EntryComment {#1628
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        You already mentioned the most important things.\n
        \n
        I will add, at the cost of being pedantic:\n
        \n
        - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
        - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
        - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
        \n
        If you want to go hardcore:\n
        \n
        - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
        - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 6
      +score: 0
      +lastActive: DateTime @1719122506 {#1630
        date: 2024-06-23 08:01:46.0 +02:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1599 …}
      +nested: Doctrine\ORM\PersistentCollection {#1625 …}
      +votes: Doctrine\ORM\PersistentCollection {#1617 …}
      +reports: Doctrine\ORM\PersistentCollection {#1725 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
      -id: 288266
      -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6473668"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704620762 {#1629
        date: 2024-01-07 10:46:02.0 +01:00
      }
      +"title": 288266
    }
    0 => App\Entity\EntryComment {#1737
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
      +root: App\Entity\EntryComment {#1628}
      +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 1
      +score: 0
      +lastActive: DateTime @1704690575 {#1736
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
        "@sudneo@lemmy.world"
        "@krash@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1732 …}
      +nested: Doctrine\ORM\PersistentCollection {#1735 …}
      +votes: Doctrine\ORM\PersistentCollection {#1729 …}
      +reports: Doctrine\ORM\PersistentCollection {#1719 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
      -id: 290565
      -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6491825"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704690575 {#1730
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +"title": 290565
    }
  ]
  -id: 27753
  -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
  -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1704677667
  +visibility: "visible             "
  +apId: "https://lemmy.ml/post/10216078"
  +editedAt: DateTimeImmutable @1712598393 {#2079
    date: 2024-04-08 19:46:33.0 +02:00
  }
  +createdAt: DateTimeImmutable @1704591267 {#2062
    date: 2024-01-07 02:34:27.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1626
  +user: Proxies\__CG__\App\Entity\User {#2338 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
  +title: "How to secure (podman or docker) containers for public-facing hosting?"
  +url: null
  +body: """
    Context\n
    -------\n
    \n
    I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
    \n
    Requirements\n
    ------------\n
    \n
    I want to run applications within containers such that they\n
    \n
    - Must not be able to interfere with applications running on host\n
    - Must not be able to interfere with other containers or applications inside them\n
    - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
    \n
    > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
    \n
    What I found so far\n
    -------------------\n
    \n
    - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
    - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
    - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
    \n
    Alternative solution\n
    --------------------\n
    \n
    I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 21
  +favouriteCount: 83
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1719138740 {#2337
    date: 2024-06-23 12:32:20.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2159 …}
  +votes: Doctrine\ORM\PersistentCollection {#2074 …}
  +reports: Doctrine\ORM\PersistentCollection {#2071 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
  +badges: Doctrine\ORM\PersistentCollection {#2056 …}
  +children: [
    1 => App\Entity\EntryComment {#1628
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        You already mentioned the most important things.\n
        \n
        I will add, at the cost of being pedantic:\n
        \n
        - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
        - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
        - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
        \n
        If you want to go hardcore:\n
        \n
        - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
        - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 6
      +score: 0
      +lastActive: DateTime @1719122506 {#1630
        date: 2024-06-23 08:01:46.0 +02:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1599 …}
      +nested: Doctrine\ORM\PersistentCollection {#1625 …}
      +votes: Doctrine\ORM\PersistentCollection {#1617 …}
      +reports: Doctrine\ORM\PersistentCollection {#1725 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
      -id: 288266
      -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6473668"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704620762 {#1629
        date: 2024-01-07 10:46:02.0 +01:00
      }
      +"title": 288266
    }
    0 => App\Entity\EntryComment {#1737
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
      +root: App\Entity\EntryComment {#1628}
      +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 1
      +score: 0
      +lastActive: DateTime @1704690575 {#1736
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
        "@sudneo@lemmy.world"
        "@krash@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1732 …}
      +nested: Doctrine\ORM\PersistentCollection {#1735 …}
      +votes: Doctrine\ORM\PersistentCollection {#1729 …}
      +reports: Doctrine\ORM\PersistentCollection {#1719 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
      -id: 290565
      -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6491825"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704690575 {#1730
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +"title": 290565
    }
  ]
  -id: 27753
  -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
  -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1704677667
  +visibility: "visible             "
  +apId: "https://lemmy.ml/post/10216078"
  +editedAt: DateTimeImmutable @1712598393 {#2079
    date: 2024-04-08 19:46:33.0 +02:00
  }
  +createdAt: DateTimeImmutable @1704591267 {#2062
    date: 2024-01-07 02:34:27.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1626
  +user: Proxies\__CG__\App\Entity\User {#2338 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
  +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
  +title: "How to secure (podman or docker) containers for public-facing hosting?"
  +url: null
  +body: """
    Context\n
    -------\n
    \n
    I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
    \n
    Requirements\n
    ------------\n
    \n
    I want to run applications within containers such that they\n
    \n
    - Must not be able to interfere with applications running on host\n
    - Must not be able to interfere with other containers or applications inside them\n
    - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
    \n
    > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
    \n
    What I found so far\n
    -------------------\n
    \n
    - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
    - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
    - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
    \n
    Alternative solution\n
    --------------------\n
    \n
    I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
    """
  +type: "article"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 21
  +favouriteCount: 83
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1719138740 {#2337
    date: 2024-06-23 12:32:20.0 +02:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#2159 …}
  +votes: Doctrine\ORM\PersistentCollection {#2074 …}
  +reports: Doctrine\ORM\PersistentCollection {#2071 …}
  +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
  +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
  +badges: Doctrine\ORM\PersistentCollection {#2056 …}
  +children: [
    1 => App\Entity\EntryComment {#1628
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        You already mentioned the most important things.\n
        \n
        I will add, at the cost of being pedantic:\n
        \n
        - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
        - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
        - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
        \n
        If you want to go hardcore:\n
        \n
        - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
        - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 6
      +score: 0
      +lastActive: DateTime @1719122506 {#1630
        date: 2024-06-23 08:01:46.0 +02:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1599 …}
      +nested: Doctrine\ORM\PersistentCollection {#1625 …}
      +votes: Doctrine\ORM\PersistentCollection {#1617 …}
      +reports: Doctrine\ORM\PersistentCollection {#1725 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
      -id: 288266
      -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6473668"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704620762 {#1629
        date: 2024-01-07 10:46:02.0 +01:00
      }
      +"title": 288266
    }
    0 => App\Entity\EntryComment {#1737
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
      +root: App\Entity\EntryComment {#1628}
      +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
      +lang: "en"
      +isAdult: false
      +favouriteCount: 1
      +score: 0
      +lastActive: DateTime @1704690575 {#1736
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@cyclohexane@lemmy.ml"
        "@sudneo@lemmy.world"
        "@krash@lemmy.ml"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1732 …}
      +nested: Doctrine\ORM\PersistentCollection {#1735 …}
      +votes: Doctrine\ORM\PersistentCollection {#1729 …}
      +reports: Doctrine\ORM\PersistentCollection {#1719 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
      -id: 290565
      -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://lemmy.world/comment/6491825"
      +editedAt: null
      +createdAt: DateTimeImmutable @1704690575 {#1730
        date: 2024-01-08 06:09:35.0 +01:00
      }
      +"title": 290565
    }
  ]
  -id: 27753
  -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
  -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1704677667
  +visibility: "visible             "
  +apId: "https://lemmy.ml/post/10216078"
  +editedAt: DateTimeImmutable @1712598393 {#2079
    date: 2024-04-08 19:46:33.0 +02:00
  }
  +createdAt: DateTimeImmutable @1704591267 {#2062
    date: 2024-01-07 02:34:27.0 +01:00
  }
  +__isInitialized__: true
   …2
}

null

App\Entity\EntryComment {#1628
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628}
      0 => App\Entity\EntryComment {#1737
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
        +root: App\Entity\EntryComment {#1628}
        +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
        +lang: "en"
        +isAdult: false
        +favouriteCount: 1
        +score: 0
        +lastActive: DateTime @1704690575 {#1736
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
          "@sudneo@lemmy.world"
          "@krash@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1732 …}
        +nested: Doctrine\ORM\PersistentCollection {#1735 …}
        +votes: Doctrine\ORM\PersistentCollection {#1729 …}
        +reports: Doctrine\ORM\PersistentCollection {#1719 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
        -id: 290565
        -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6491825"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704690575 {#1730
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +"title": 290565
      }
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    You already mentioned the most important things.\n
    \n
    I will add, at the cost of being pedantic:\n
    \n
    - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
    - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
    - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
    \n
    If you want to go hardcore:\n
    \n
    - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
    - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 6
  +score: 0
  +lastActive: DateTime @1719122506 {#1630
    date: 2024-06-23 08:01:46.0 +02:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1599 …}
  +nested: Doctrine\ORM\PersistentCollection {#1625 …}
  +votes: Doctrine\ORM\PersistentCollection {#1617 …}
  +reports: Doctrine\ORM\PersistentCollection {#1725 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
  -id: 288266
  -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6473668"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704620762 {#1629
    date: 2024-01-07 10:46:02.0 +01:00
  }
  +"title": 288266
}

App\Entity\EntryComment {#1628
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628}
      0 => App\Entity\EntryComment {#1737
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
        +root: App\Entity\EntryComment {#1628}
        +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
        +lang: "en"
        +isAdult: false
        +favouriteCount: 1
        +score: 0
        +lastActive: DateTime @1704690575 {#1736
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
          "@sudneo@lemmy.world"
          "@krash@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1732 …}
        +nested: Doctrine\ORM\PersistentCollection {#1735 …}
        +votes: Doctrine\ORM\PersistentCollection {#1729 …}
        +reports: Doctrine\ORM\PersistentCollection {#1719 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
        -id: 290565
        -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6491825"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704690575 {#1730
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +"title": 290565
      }
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    You already mentioned the most important things.\n
    \n
    I will add, at the cost of being pedantic:\n
    \n
    - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
    - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
    - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
    \n
    If you want to go hardcore:\n
    \n
    - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
    - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 6
  +score: 0
  +lastActive: DateTime @1719122506 {#1630
    date: 2024-06-23 08:01:46.0 +02:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1599 …}
  +nested: Doctrine\ORM\PersistentCollection {#1625 …}
  +votes: Doctrine\ORM\PersistentCollection {#1617 …}
  +reports: Doctrine\ORM\PersistentCollection {#1725 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
  -id: 288266
  -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6473668"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704620762 {#1629
    date: 2024-01-07 10:46:02.0 +01:00
  }
  +"title": 288266
}

App\Entity\EntryComment {#1628
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628}
      0 => App\Entity\EntryComment {#1737
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
        +root: App\Entity\EntryComment {#1628}
        +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
        +lang: "en"
        +isAdult: false
        +favouriteCount: 1
        +score: 0
        +lastActive: DateTime @1704690575 {#1736
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
          "@sudneo@lemmy.world"
          "@krash@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1732 …}
        +nested: Doctrine\ORM\PersistentCollection {#1735 …}
        +votes: Doctrine\ORM\PersistentCollection {#1729 …}
        +reports: Doctrine\ORM\PersistentCollection {#1719 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
        -id: 290565
        -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6491825"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704690575 {#1730
          date: 2024-01-08 06:09:35.0 +01:00
        }
        +"title": 290565
      }
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    You already mentioned the most important things.\n
    \n
    I will add, at the cost of being pedantic:\n
    \n
    - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
    - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
    - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
    \n
    If you want to go hardcore:\n
    \n
    - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
    - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 6
  +score: 0
  +lastActive: DateTime @1719122506 {#1630
    date: 2024-06-23 08:01:46.0 +02:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1599 …}
  +nested: Doctrine\ORM\PersistentCollection {#1625 …}
  +votes: Doctrine\ORM\PersistentCollection {#1617 …}
  +reports: Doctrine\ORM\PersistentCollection {#1725 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
  -id: 288266
  -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6473668"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704620762 {#1629
    date: 2024-01-07 10:46:02.0 +01:00
  }
  +"title": 288266
}

null

App\Entity\EntryComment {#1737
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          You already mentioned the most important things.\n
          \n
          I will add, at the cost of being pedantic:\n
          \n
          - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
          - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
          - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
          \n
          If you want to go hardcore:\n
          \n
          - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
          - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 6
        +score: 0
        +lastActive: DateTime @1719122506 {#1630
          date: 2024-06-23 08:01:46.0 +02:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1599 …}
        +nested: Doctrine\ORM\PersistentCollection {#1625 …}
        +votes: Doctrine\ORM\PersistentCollection {#1617 …}
        +reports: Doctrine\ORM\PersistentCollection {#1725 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
        -id: 288266
        -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6473668"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704620762 {#1629
          date: 2024-01-07 10:46:02.0 +01:00
        }
        +"title": 288266
      }
      0 => App\Entity\EntryComment {#1737}
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
  +root: App\Entity\EntryComment {#1628}
  +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 1
  +score: 0
  +lastActive: DateTime @1704690575 {#1736
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
    "@sudneo@lemmy.world"
    "@krash@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1732 …}
  +nested: Doctrine\ORM\PersistentCollection {#1735 …}
  +votes: Doctrine\ORM\PersistentCollection {#1729 …}
  +reports: Doctrine\ORM\PersistentCollection {#1719 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
  -id: 290565
  -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6491825"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704690575 {#1730
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +"title": 290565
}

App\Entity\EntryComment {#1737
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          You already mentioned the most important things.\n
          \n
          I will add, at the cost of being pedantic:\n
          \n
          - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
          - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
          - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
          \n
          If you want to go hardcore:\n
          \n
          - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
          - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 6
        +score: 0
        +lastActive: DateTime @1719122506 {#1630
          date: 2024-06-23 08:01:46.0 +02:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1599 …}
        +nested: Doctrine\ORM\PersistentCollection {#1625 …}
        +votes: Doctrine\ORM\PersistentCollection {#1617 …}
        +reports: Doctrine\ORM\PersistentCollection {#1725 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
        -id: 288266
        -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6473668"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704620762 {#1629
          date: 2024-01-07 10:46:02.0 +01:00
        }
        +"title": 288266
      }
      0 => App\Entity\EntryComment {#1737}
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
  +root: App\Entity\EntryComment {#1628}
  +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 1
  +score: 0
  +lastActive: DateTime @1704690575 {#1736
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
    "@sudneo@lemmy.world"
    "@krash@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1732 …}
  +nested: Doctrine\ORM\PersistentCollection {#1735 …}
  +votes: Doctrine\ORM\PersistentCollection {#1729 …}
  +reports: Doctrine\ORM\PersistentCollection {#1719 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
  -id: 290565
  -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6491825"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704690575 {#1730
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +"title": 290565
}

App\Entity\EntryComment {#1737
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1626
    +user: Proxies\__CG__\App\Entity\User {#2338 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#2130 …}
    +slug: "How-to-secure-podman-or-docker-containers-for-public-facing-hosting"
    +title: "How to secure (podman or docker) containers for public-facing hosting?"
    +url: null
    +body: """
      Context\n
      -------\n
      \n
      I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.\n
      \n
      Requirements\n
      ------------\n
      \n
      I want to run applications within containers such that they\n
      \n
      - Must not be able to interfere with applications running on host\n
      - Must not be able to interfere with other containers or applications inside them\n
      - Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.\n
      \n
      > Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.\n
      \n
      What I found so far\n
      -------------------\n
      \n
      - **Running containers in rootless mode:** in other words, running the container daemon with an unprivileged host user\n
      - **Running applications in container under unprivileged users:** the container user under which the container is ran should be unprivileged\n
      - **Networking:** The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.\n
      \n
      Alternative solution\n
      --------------------\n
      \n
      I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.
      """
    +type: "article"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 21
    +favouriteCount: 83
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1719138740 {#2337
      date: 2024-06-23 12:32:20.0 +02:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#2159 …}
    +votes: Doctrine\ORM\PersistentCollection {#2074 …}
    +reports: Doctrine\ORM\PersistentCollection {#2071 …}
    +favourites: Doctrine\ORM\PersistentCollection {#2070 …}
    +notifications: Doctrine\ORM\PersistentCollection {#2048 …}
    +badges: Doctrine\ORM\PersistentCollection {#2056 …}
    +children: [
      1 => App\Entity\EntryComment {#1628
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1626 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          You already mentioned the most important things.\n
          \n
          I will add, at the cost of being pedantic:\n
          \n
          - build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).\n
          - do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.\n
          - do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.\n
          \n
          If you want to go hardcore:\n
          \n
          - analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.\n
          - run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 6
        +score: 0
        +lastActive: DateTime @1719122506 {#1630
          date: 2024-06-23 08:01:46.0 +02:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@cyclohexane@lemmy.ml"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1599 …}
        +nested: Doctrine\ORM\PersistentCollection {#1625 …}
        +votes: Doctrine\ORM\PersistentCollection {#1617 …}
        +reports: Doctrine\ORM\PersistentCollection {#1725 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1722 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1726 …}
        -id: 288266
        -bodyTs: "'add':10 'addit':117 'alreadi':2 'analyz':96 'app':129 'applic':98 'build':17,102 'caught':156 'compar':110 'contain':65,89 'cost':13 'custom':146 'cves':42 'dedic':57 'default':113,141 'depend':28 'doesn':130 'due':40 'etc':70,80,161 'even':138 'exploit':125,148,152 'falco':134 'feasibl':101 'go':94 'good':23 'hardcor':95 'homedir':69 'host':48,75,78 'imag':19,24,35 'import':6 'less':38,43 'like':77 'limit':27,116 'mani':147 'map':83 'mean':26 'mention':3 'might':115,120 'minim':34 'mount':47 'much':30 'namespac':76 'need':132 'network':79 'node':137 'noth':145 'own':59 'pedant':16 'port':82 'possibl':32,37 'post':151 'posts-exploit':150 'profil':109 'proper':20 'realli':52 'restrict':107 'rule':144 'run':73,133 'seccomp':108 'send':85 'set':142 'shell':159 'spawn':160 'step':153 'subpath':58 'syscal':118 'thing':7 'tool':44 'traffic':86 'updat':39 'use':22,55,68,81,104,122 'user':62 'volum':49 'want':92 'would':154"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://lemmy.world/comment/6473668"
        +editedAt: null
        +createdAt: DateTimeImmutable @1704620762 {#1629
          date: 2024-01-07 10:46:02.0 +01:00
        }
        +"title": 288266
      }
      0 => App\Entity\EntryComment {#1737}
    ]
    -id: 27753
    -titleTs: "'contain':7 'docker':6 'face':11 'host':12 'podman':4 'public':10 'public-fac':9 'secur':3"
    -bodyTs: "'abl':50,61 'accept':133 'access':74,94 'altern':202,211 'applic':9,41,54,68,157 'appreci':199 'bubblewrap':207 'compromis':17,86 'contain':21,43,66,140,149,159,164,169,177 'context':1 'daemon':150 'devic':79,96 'direct':223 'eventu':121 'exampl':118 'explor':32,194 'face':8 'far':138 'fix':123 'found':136 'get':122 'home':15 'host':5,57,154 'influenc':76 'inform':228 'insid':69 'intend':219 'interfer':52,63 'kernel':116 'like':114,125,215 'local':82 'manner':226 'may':110 'might':22 'mode':143 'must':47,58,71,180 'network':83,91,175,179 'note':99 'occasion':112 'one':24 'otherwis':85 'present':208 'public':7 'public-fac':6 'ran':171 'realiz':20 'reason':104,128 'requir':36 'resourc':201 'restrict':182 'risk':124 'rootless':142 'rout':34 'run':40,55,139,147,156 'scarc':235 'secur':18,88 'seem':214 'seen':206 'server':12 'shall':193 'solut':203 'sometim':108 'ssh':98 'still':93,185 'sure':187 'understand':106 'unprivileg':153,161,174 'use':222,230 'user':155,162,165 'via':97 'vulner':113 'want':3,30,38 'way':25 'will':131 'within':42,103,127 'without':16 'word':146 'would':120,198"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1704677667
    +visibility: "visible             "
    +apId: "https://lemmy.ml/post/10216078"
    +editedAt: DateTimeImmutable @1712598393 {#2079
      date: 2024-04-08 19:46:33.0 +02:00
    }
    +createdAt: DateTimeImmutable @1704591267 {#2062
      date: 2024-01-07 02:34:27.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1575 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1734 …}
  +root: App\Entity\EntryComment {#1628}
  +body: "It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight)."
  +lang: "en"
  +isAdult: false
  +favouriteCount: 1
  +score: 0
  +lastActive: DateTime @1704690575 {#1736
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@cyclohexane@lemmy.ml"
    "@sudneo@lemmy.world"
    "@krash@lemmy.ml"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1732 …}
  +nested: Doctrine\ORM\PersistentCollection {#1735 …}
  +votes: Doctrine\ORM\PersistentCollection {#1729 …}
  +reports: Doctrine\ORM\PersistentCollection {#1719 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1714 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1720 …}
  -id: 290565
  -bodyTs: "'afaik':20 'aqua':22 'base':14 'cncf':49 'communiti':44 'competitor':19 'contain':10 'de':5 'de-facto':4 'disappear':58 'enterpris':53 'facto':6 'i.e':55 'less':29 'maintain':41 'matur':30 'overnight':59 'project':50 'rule':40 'runtim':9 'secur':11,23 'shouldn':56 'solut':54 'standard':7 'support':35 'sysdig':12 'ton':38 'trace':25 'use':51 'way':28 'well':34"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://lemmy.world/comment/6491825"
  +editedAt: null
  +createdAt: DateTimeImmutable @1704690575 {#1730
    date: 2024-01-08 06:09:35.0 +01:00
  }
  +"title": 290565
}