Richard Pieri wrote: > Which in fact /reduces/ overall system security. Starting a Docker > container requires root.
It's no worse than the previously mentioned solution that required sudo to switch to a dedicated browser user. If you are running a shared system (neither of these solutions are likely the right fit), and you don't want the regular user to be in the privileged 'docker' group, then use a SetUID script (or sudo rule) that is restricted to launching the specific container. > That's not even beginning to touch on the problems with updating the > browsers. Because one doesn't update applications in a Docker container; > one updates the whole container. That's the recommended philosophy for using Docker in production environments, but Docker also works perfectly well in a copy-on-change model, just like a VM. Update the browser in-situ. (You can save the state of the container if you want to be able to instantiate (or share) clones of the updated container image.) -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss