That was fast.
But wouldn’t that limit the issue to the container?
You could simply point out that you don’t offer support for services run through Docker and require users to disable Docker to receive support?
When users have issues the first advice would be to turn off docker and check if the issue still persists.
But that would already require that the attacker already has access to the machine or not?
As you may have guessed that is something I lack expertise in. But just to be clear on one point you mentioned here, shouldn’t your sealed kernel make it impossible to load custom kernel modules?
IMHO that’s not really your problem but the user’s problem. It’s like not knowing how to drive but still deciding to drive like an idiot in a new Porsche. The dealership certainly won’t be blamed or liable for any damages caused by the dumb driver.
None taken. I do have a Pi and I also have the money to put another machine into my 19-inch rack at home, but running a STORJ node doesn’t justify additional expenses.
Having a machine already running 24/7 (ipfire) and some additional HDDs, however, makes it a “lucrative” idea to run STORJ on ipfire. (And STORJ requires Docker).
I mentioned the budgeting issue because I assume that there are quite a few ipfire users that run ipfire on some old machine and don’t have the funds or - like with STORJ - want to run some additional service that does not justify spending additional money.
See above, simply don’t offer support for services running in Docker containers (besides containers that you may eventually provide yourself)
Again, seems like it’s the users’ problem, not yours.
Sure, things like CI/CD, Docker,… make things easier and users don’t have to know anymore how things work without them, but at least in my professional life they also save time and make things easier, or at least I perceive it that way.
While it would be great if every network is administrated by someone with your knowledge it simply won’t ever be the case. Even within company networks in many cases, the network is managed by someone that has just a little bit more knowledge about it than the average user. That doesn’t mean that restrictions are the solution.
True, but why is that your problem? Pointing out that you don’t offer support for issues that appear while Docker containers are running solves any potential additional support effort
I also read through some of the other feature requests like, for example, Feature Request: Easy Way to Add VPN Service and it looks like you already made up your mind on deciding what users should be able to do. Personally, I think that’s the wrong way to go, but I respect your position. I guess, it’s clear that you won’t accommodate this feature request, so I won’t take up any more of your time.
Thanks again for taking the time to reply to my initial message and for providing quite a lot of additional information.