Have a Debian 9 home server with important things on it. Previously used unprivileged LXC containers for plex, syncthing, etc as a step to mitigate potential exploits and backdoors (e.g. plex is nonfree), but this is tedious. I’d like to use docker instead because it’s easier than maintaining half a dozen LXC containers manually. I don’t know much about docker but see some potential issues:
- How do I know the docker images I pull are secure? Are signed containers and docker content trust (or something like them) widely used? Are the majority of popular images on docker-hub?
- Are docker containers launched by root as secure as an unprivileged LXC container? Is an unprivileged LXC container locked down enough to protect my important things on the host?
- Would running docker inside a VM or unprivileged LXC container provide meaningful security for my important things? Is there a way to have docker and my important things on the same computer without a significant security compromise (for home use)?
Apps like Syncthing and Plex are generally going to have docker images from more trustworthy and competent sources, but I would also like to run videogame servers in docker, many of which (e.g. kf2) may be too obscure to rely on the community to review the source code and keep track of bad actors.