This obviously has some security implications, so I mostly use docker images I roll myself (and rebuild at each deployment). But combined with compartmentalization docker offers, it's a fair trade, I feel.
@saxnot @sullybiker this is honestly the most important thing one needs to understand if one wants to feel at home working with containers (docker or other): a container is not supposed to be long-term, and is not supposed to run multiple services.
Any long-term data storage needs to be outside of it, and updates are handled by redeploying it.
Any additional service should be run in a separate container, using well-defined interfaces (network APIs, etc) for communication, to avoid surprising side-effects.
@rysiek @saxnot I did a lot of work with our security office after some research docker containers kept getting (harmlessly) compromised because they had unpassworded mongodb instances facing the internet. One lesson was that nobody understood the networking, in particular the relation to the host netfilter rules.
@sullybiker @saxnot on the other hand, yes, compartmentalization helps a lot with security here. A compromised container is not necessarily and end-of-the-world event, depending what access it has to other containers and the underlying system.
That's something I *really* appreciate about containers: if you're doing things correctly, you end up with a set of well-separated basic services communicating via well-defined interfaces with no side-effects/side-channels. Way easier to audit and reason about.
People assume containers are not exposed outside, and that's often wrong.
PSA: Docker does not work with UFW. If your server uses UFW and you have Docker stuff behind it, they are most likely still visible outside.
Most "newbie" guides (that I've seen) will recommend UFW, and most "selfhosted" software will recommend Docker. Combine them both, and you fail.
What a wonderful world!
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!