switched from portainer to arcane recently. much easier on the eyes and the ability to save compose projects without deploying them yet is exactly what i was looking for. one thing is weird and i should prolly make an issue for it: no horizontal scroll or word wrap function in the compose editor, so for those compose files with extensive comments like npmplus you’ll have to have open in a text editor or webpage to read to the end of lines.
man, arcane looks amazing, I ended up deciding off it though as their pull requests look like they use copilot for a lot of code for new features. Not that I personally have an issue with this but, I’ve seen enough issues where copilot or various AI agents add security vulnerabilities by mistake and they aren’t caught, so I would rather stray away from those types of projects at least until that issue becomes less common/frequent.
For something as detrimental as a management console to a program that runs as root on most systems, and would provide access to potentially high secure locations, I would not want such a program having security vulnerabilities.
while docker does have a non-root installer, the default installer for docker is docker as root, containers as non-root, but since in order to manage docker as a whole it would need access to the socket, if docker has root the container by extension has root.
Even so, if docker was installed in a root-less environment then a compromised manager container would still compromise everything on that docker system, as a core requirement for these types of containers are access to the docker socket which still isn’t great but is still better than full root access.
To answer the question: No it doesn’t require it to function, but the default configuration is root, and even in rootless environment a compromise of the management container that is meant to control other containers will result in full compromise of the docker environment.
switched from portainer to arcane recently. much easier on the eyes and the ability to save compose projects without deploying them yet is exactly what i was looking for. one thing is weird and i should prolly make an issue for it: no horizontal scroll or word wrap function in the compose editor, so for those compose files with extensive comments like npmplus you’ll have to have open in a text editor or webpage to read to the end of lines.
Komodo is the best portainer alt I’ve found, I read through the Arcane info but it doesnt seem as good. Komodos editor also works great.
I’m just waiting for something like this with native podman support
man, arcane looks amazing, I ended up deciding off it though as their pull requests look like they use copilot for a lot of code for new features. Not that I personally have an issue with this but, I’ve seen enough issues where copilot or various AI agents add security vulnerabilities by mistake and they aren’t caught, so I would rather stray away from those types of projects at least until that issue becomes less common/frequent.
For something as detrimental as a management console to a program that runs as root on most systems, and would provide access to potentially high secure locations, I would not want such a program having security vulnerabilities.
Does it have to run as root? It’s common to run Docker in rootless mode in production environments.
while docker does have a non-root installer, the default installer for docker is docker as root, containers as non-root, but since in order to manage docker as a whole it would need access to the socket, if docker has root the container by extension has root.
Even so, if docker was installed in a root-less environment then a compromised manager container would still compromise everything on that docker system, as a core requirement for these types of containers are access to the docker socket which still isn’t great but is still better than full root access.
To answer the question: No it doesn’t require it to function, but the default configuration is root, and even in rootless environment a compromise of the management container that is meant to control other containers will result in full compromise of the docker environment.
ugh well that sucks butt. i’ll be trying new alternatives tonight i guess lol
any recommendations?
I switched from Portainer to Dockge to Komodo. Been very happy with komodo so far
Sadly no recommendations, I still use portainer myself
Dockge?
I wouldn’t be exposing any management consoles to the internet either way, too much risk with something that has docker socket access.