How safe are Diet-Pi installed Portainer-managed containers exposed to the WAN

I am n00b-ish when it comes to Docker, which is why I opt for Portainer to manage my containers. I am also n00bish enough to know enough to get myself into bother.

I am currently running a few services which I would like to expose, via a reverse proxy, to the nasties of the outside world. I am sure that this question has been asked a million times before but due to the holes in my understanding I am not yet satisfied that I know the answer to my particular scenario.

If I enumerate my assumptions then it will make it easier for people to confirm or dispel them.

As I understand it:

  1. Diet-Pi creates a new user for each software installed via dietpi-software and therefore it makes it more difficult for any intrusion attempt to gain control over other services.
  2. Installing Portainer via dietpi-software means that it runs as root (as suggested by htop) but the volumes that are described in the compose files are owned by dietpi (a peasant user)
  3. Docker/containerisation, provides isolation between containers which means that forwarding ports to a specific container would effectively prevent bad actors from gaining access to other containers/volumes that are not mounted by them.

Which leads me to the main questions:

  1. Is Diet-Pi, in general, safe to expose to the world?
  2. How safe is it to proxy to a container?
  3. What steps should I take in order to make this more secure, if indeed it is possible.

Some background info on my current setup:

  • Diet-Pi currently runs in a Hyper-V VM (the plan is to move to Unraid when I have some time, hence why I am containerising everything)
  • I have a number of containers running on the same Portainer instance: torrent client, podcast manager, photo manager…
  • I have a reverse proxy running on a separate Diet-Pi machine that is acting as a gateway and managing the SSL for a bunch of subdomains which are currently blackholing until I build up the courage to let them do their thing.

I realise that there is a lot here. I also feel that Diet-Pi has managed to do so much for me in terms of making my current setup a reality that I do not want to ruin it all by allowing naughty people to peruse holiday photos of my shockingly beach (un)ready body!

1 Like