Are Docker apps safe?

Currently reading
Are Docker apps safe?

Operating system
  1. Windows
Mobile operating system
  1. iOS
Forgive me if this is an overly simplistic question, but I love the idea of vm's running programs, which is what Docker means to me when I think of it. I've not implemented it yet, but a few months back there was a report that a significant number of Docker packages has security flaws. For me, that begs the question of whether using Docker is introducing security issues into my NAS. Can someone help me better understand whether this is a valid concern?
Last edited:
Docker containers are not vm's... I am sure plenty of blog post and stack overflow posts cover the differences in depth already, so I am going to skip it..

The biggest problem that commes to mind are unmaintaned images. An image is a point in time snapshot of the "main" service, its dependencies, configurations and usualy a more or less clever entrypoint script. The further this point in time is in the past, the more likely it is an image has vulnerabilities...

While you'd patch a vm the same way you would patch a baremetal system, with docker, you don't patch your container, you usualy build a new image and re-create the container based on the new image. You don't patch the container, because it's ephemeral: once the container is deleted the patches are gone and you start over with the "current state of the image".

Stay away from images that are not frequently updated and/or lack a proper description. Images from linuxserver and bitnami are constantly released and always close to the recent patch levels. They are sometimes even more up to date than the official images.

Prefer images based on minimal alpine, rather than based on debian, ubuntu, centos, rhel, ... Usualy the other distributions provide packages and libraries you don't need, but still can contain vulnerabilites.

Try to avoid --privileged and --network host if possible. Even though these flags might make live easier, they introduce additional attack vectors and weaken the isolation of containers. I find --network host less problematic than --privileged.

Do I think apps in docker containers are safe? It depends if:
- the (containerized) application does not have known vulnerabilites in general
- the images for the application are activly maintained and frequently updated
- the image does not require privileged mode
- containers are immediatly re-created based on the recent image version.
Thank you very much. I appreciate my vm analogy was not the best, but it was the best I could come up to reflect my rudimentary knowledge.

Is there a good source of docker packages that meet the criteria you list above?
Just search Docker Hub and be good :)

Hint: docker images are neither docker apps, nor docker packages. Containers are the runtime instances of images.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Of course you can, and indeed as @Rusty already advised Gluetun is the way to go. I use it without issues...
Who's this 'support' you're talking about? Did you miss the 'unoffical' bit in this? Or the 'NAS owners'...
Looks like I triggered you somehow with my post: it was not my intention. I have no idea whether bash or...
Use bind volumes, and the CM Project feature. Hyper Backup can then backup the volumes, and with a copy of...
Those are two different layers: one is the management ui to perform actions on the api. the other is the...
Thanks for your replies, but I found the solution: I had to allow port 8083 in the firewall.

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads