Hi there,
I own a new DS machine and intend to use it for the following tasks: (private) data storage, personal devices' backups, run Docker with a few containers like PiHole, Bitwarden, RSS, etc., as well as to host a personal website and run a Mail server with a "catch them all" function. That's a fair mix of private data handling and exposure to the WWW. For this reason, and because I am neither an IT specialist, nore a security expert, my first idea was to run Docker on the "real" DSM beside my private data, and let the web hosting and webmail tasks run on a virtual machine.
Then I thought it could be easier to let the web hosting and webmail servers run in Docker containers as well, as these are supposed to be sandboxed. This way I could avoid VM-management and save some hardware capacity.
Now, I understand the differences between running a proper VM and running containers with Docker, but I couldn't find a lot of info about Docker's security on Synology NASs. Some people consider Docker to be safe enough to let containers run in the same environment than their private data, but others don't. I could find this thread on SynoForum. There are some good advices there, but as a non-specialist I have no idea how to check if my container is "requiring and exposing privileged mode the the internet" or not. Also, Fredbert wrote:
What config would you setup if these were your own device and tasks? Would you run all these tasks in Docker containers, or one or several VM?
Thank's lot for your advices!
I own a new DS machine and intend to use it for the following tasks: (private) data storage, personal devices' backups, run Docker with a few containers like PiHole, Bitwarden, RSS, etc., as well as to host a personal website and run a Mail server with a "catch them all" function. That's a fair mix of private data handling and exposure to the WWW. For this reason, and because I am neither an IT specialist, nore a security expert, my first idea was to run Docker on the "real" DSM beside my private data, and let the web hosting and webmail tasks run on a virtual machine.
Then I thought it could be easier to let the web hosting and webmail servers run in Docker containers as well, as these are supposed to be sandboxed. This way I could avoid VM-management and save some hardware capacity.
Now, I understand the differences between running a proper VM and running containers with Docker, but I couldn't find a lot of info about Docker's security on Synology NASs. Some people consider Docker to be safe enough to let containers run in the same environment than their private data, but others don't. I could find this thread on SynoForum. There are some good advices there, but as a non-specialist I have no idea how to check if my container is "requiring and exposing privileged mode the the internet" or not. Also, Fredbert wrote:
. Does it mean that if I install and run a container from my admin account, this process could get admin rights in case of a hack or bug?Some containers take host UID/GID parameters so I'd be careful not to use a NAS admin on the off-chance something does go wrong.
What config would you setup if these were your own device and tasks? Would you run all these tasks in Docker containers, or one or several VM?
Thank's lot for your advices!