As mentioned, I took 3 weeks off. When you exercise 10hrs/day, even if you pick sports that you love (what I did), you don't want to work or do any "forced" commute. Take some time for yourself and your health, this is investment too.
It doesn't have to be high-intensity, you can start pretty chill as long as you do something all day long, possibly in water to burn even more calories (beach paddles, surf, bodyboard, waterwalking...).
As mentioned that was only during 3 weeks or so that I took off. Short self-commitment is the only thing that works for me.
Also you don't have to go full power mode for 4 hours, the important part is to be in the water and move as much as possible. I preferred on my end to do half-day at the beach and half-day at the swimming pool.
You'll just feel some hunger before sleep but all the gym has such a great impact that it becomes pretty easy to support it, then your stomach will get to a normal size again.
As someone who lost over 100 pounds (6"2 and from 279 to 169 pounds), I can honestly say that loosing weight is way easier than it seems, provided you have a good work-life balance.
I lost the first 45 pounds in 3 weeks by doing the following daily routine:
- 4 hours of swimming
- 1.5 hours of weights lifting
- 3 hours of swimming
- 2 hours of table tennis
1 BIG lunch, no other meal for the day, TONS of water.
Apps, books and all are completely overrated. Just be motivated and listen to your body, stop exercise when you reach your limit, rest, repeat..
The other 55+ pounds were lost over 2 years and a half without much exercise, just find the arrangement of fruits, lightweight cheese and vegetables + tuna that you love and eat it as often as possible.
The daemon is listening by default on a non-networked unix socket so if you're exposing listening on the network, you're already out of the default behavior (which is totally normal but that means that you've started regarding the instructions/doc on how to do so, and our doc page on this matter also includes security guidelines to enforce TLS verification/whitelisting daemon-side).
There is currently no "superduper-safe-mode" that enforces `--tls-verify` at the daemon-level to prevent lack of client verification/whitelisting. This can be discussed, the issue obviously being the UX (that means getting proper certs, specifying them in the config etc..).
It is VERY hard to do runtime detection of mining apps for two reasons:
1) it's mostly CPU usage intensive work and only if you know what's the average amount of computer power needed by your application upfront will you be able to make a policy decision on which image to stop and how to adjust Cgroups resources. If you don't, you'll have to build a reference profile of a trusted image anyway to be sure of what's the expected behavior.
2) There is no other "malicious" activity that might be reported by runtime security tools (it generally doesn't trigger anything blocked by your seccomp/LSM/filesystem-integrity profiles).
------- How to protect against this -------
The best protection is at the build chain level. There are tools out there to "bless" and/or verify an image's content/creator.
Notary and Docker Trust (higher-level abstraction based on Notary inside Docker) are two tools that allow you to do:
It is crucial for people out there to make sure they only deploy trusted images and make decisions on what to run (CI or Prod) based on signature integrity of trusted images.
We're working on a solution that would please most people for docker containers and services called the Docker Entitlements: https://github.com/moby/libentitlement
These Entitlements are high-level privileges for containers and services that could be baked in images, same way as macOS/iOS apps. These permissions would allow to create custom {seccomp+capabilities+namespaces+apparmor+...} profiles (effectively security profiles) for a better granularity in app sandbox configuration by app developers and ops.
The current POC has `docker run`, `docker service create` and even build mechanism working. The integration is actively being worked on and PRs are being prepared.