Hey everyone! I'm a sysadmin venturing into Docker and have a burning question. I'm currently running Home Assistant OS on a VM in Proxmox, and I'm planning to set up a Docker VM for some applications like *arrs, Bookstack, and Pi-hole. The twist is, I typically run services in separate VMs at work due to security concerns, but at home, I want to consolidate without risking security. My question is: Is there a risk in having publicly exposed services like Bookstack on the same Docker host as internal ones such as Pi-hole? If someone were to exploit my Bookstack instance, could they potentially access my internal DNS? My instinct is to keep them on separate Docker hosts, but I'm wondering if that's truly necessary since I have limited resources. Plus, my home network setup doesn't allow for a DMZ or VLANs. Is running everything on one host really a bad idea? I'd love some insights on this. Thanks!
2 Answers
You're onto something by wanting to isolate the services! If an attacker gets into a public service, they might be able to access your internal ones through the container network. It's definitely safer to keep public services separate. While container escape is rare, lateral movement within the network is a real threat that you want to mitigate if you can. A separate host would add extra security.
I totally get your dilemma! One way to improve security is to use separate Docker networks for your containers. If you set them up this way, containers on different networks can't communicate with each other. However, be mindful that if a public service is compromised, there’s still some risk since they share the same host kernel. So, if you can, isolating public services on a different Docker host is definitely a safer approach. Better to be safe than sorry!
Thanks for the tip! I'm definitely considering using separate Docker networks to enhance security with the resources I have.
I appreciate your insight! That makes total sense. I'll weigh my options before diving into Docker.