Ok so obviously you can run docker applications no problem on TrueNAS CE (and I am lead to believe manage them quite effectively?) using something like the offical dockge app?
So my question is this.
Can “non official” docker apps leave my TrueNAS server vulnerable to hacking/viruses and the like? More so than "official” apps?
What makes “official” docker apps any more secure (if at all)? Does anything make them special above non official ones?
Given we are all basically “experimenting” with CE (yes I get we are doing it “for free” - in return we are however, passing back our experiences with CE, trialing new aspects for the main “enterprise show” and for the benefit of the company concerned)….being the guinea pigs as it were..
What is the official stance on the use of “non offical” docker apps on TrueNAS CE?
It’s not dependend on wether it’s an official or custom app, it depends on the image the app use. You can deploy the same image (e.g. plex) with the official app or you build your own app with it.
If there’s a security problem with the image, both versions would have the issue…
Official apps only offer a simpler method for non technical persons to install apps (granted that they’re sometimes, somewhat limited in the options that are exposed)
The question should be how to determin if the image that gets used is secure…
Ok.. so I kind of guess this relates to my request for Hawser ….(see feature requests)….as it hasn’t even got any votes yet?!!!.. (come on everyone!) … but given Dockhand runs Trivy and Gripe natively….. shouldn’t there be more work by the TrueNAS team to start officially supporting app security (both official and non official)?
If ppl don’t have a usecase for that app, it’s unlikely to get votes, and requests to add apps should be filed on the truenas apps section in the github repo at GitHub - truenas/apps · GitHub
For non IT persons to determin wether an image is save or not is kinda hard. If you don’t understand what the docker image includes you can pretty much just go about the reputation of the developer (think like plex, nextcloud jellyfin etc) and how many others are using the image (number of downloads for the image)…
I can’t think of any other metric one could use to determin if an image is save to use (other then your own common sense)
Nothing. Official images are not more secure in any way: What they provide is one-click deployment from GUI.
If you’re comfortable with YAML, you may deploy the same apps manually or through your favourite docker manager (Dockge, Portainer,…)—and some would even advise to do so, for the sake of independence and easier migration across servers.
(Geez.. and I thought having apps “official” an’ all made them some how more secure.. like they were being checked or something - how naive I was! )
Given we are helping the mothership test things like apps and everything, isn’t it time the TrueNAS team kind of got serious about the security of these?
I assumed they at least checked (the official ones) are from reputable sources?
(please don’t shoot the messenger… I’m just putting all this out there..)
…maybe its time I just put hawser (or some other security solution) on there myself…
Not just these, but you can also avoid the myriad unnecessary problems that people experience when they use the “official” apps. Just look at all the problems people are having lately with the community app version of Immich updating to Pg18. Those of us using the official Immich images aren’t having this problem at all. There’s really no good reason to use the community apps; they just introduce an extra layer of maintainership (which is usually quite poor) and a lot of limitations, all so you don”t have to look at a simple YML file.
)