Why docker

Hexarei, 1 year ago

Others have addressed the root and trust questions, so I thought I’d mention the “mess” question:

Even the messiest bowl of ravioli is easier to untangle than a bowl of spaghetti.

The mounts/networks/rules and such aren’t “mess”, they are isolation. They’re commoditization. They’re abstraction - Ways to tell whatever is running in the container what it wants to hear, so that you can treat the container as a “black box” that solves the problem you want solved.

Think of Docker containers less like pets and more like cattle, and it very quickly justifies a lot of that stuff because it makes the container disposable, even if the data it’s handling isn’t.

paws, 1 year ago

I ended up using Docker to set up pict-rs and y’all are making me happy I did

avidamoeba, 1 year ago

In short, yes, yes it’s worth it.

msage, 1 year ago

I have VMs on my metal, one specific for containers.

Though I use LXC. Docker started with LXC, then grew bigger, and I don’t like how big it is.

If I can set up one simple NAT and run everything inside a container, I don’t need Docker.

Docker’s main advantage is the hub.

Moonrise2473, 1 year ago

About the root problem, as of now new installs are trying to let the user to run everything as a limited user. And the program is ran as root inside the container so in order to escape from it the attacker would need a double zero day exploit (one for doing rce in the container, one to escape the container)

The alternative to “don’t really know what’s in the image” usually is: “just download this Easy minified and incomprehensible trustmeimtotallynotavirus.sh script and run it as root”. Requires much more trust than a container that you can delete with no traces in literally seconds

If the program that you want to run requires python modules or node modules then it will make much more mess on the system than a container.

Downgrading to a previous version (or a beta preview) of the app you’re running due to bugs it’s trivial, you just change a tag and launch it again. Doing this on bare metal requires to be a terminal guru

Finally, migrating to a new fresh server is just docker compose down, then rsync to new server, and then docker compose up -d. And not praying to ten different gods because after three years you forgot how did you install the app in bare metal like that.

Docker is perfect for common people like us self hosting at home, the professionals at work use kubernetes

itsnotits, 1 year ago

the program is run* as root

possiblylinux127, 1 year ago

Well docker tends to be more secure if you configure it right. As far as images go it really is just a matter of getting your images from official sources. If there isn’t a image already available you can make one.

The big advantage to containers is that they are highly reproducible. You no longer need to worry about issues that arise when running on the host directly.

Also if you are looking for a container runtime that runs as a local user you should check out podman. Podman works very similarly to docker and can even run your containers as a systemd user service.

umbrella, 1 year ago

people are rebuffing the criticism already.

heres the main advantage imo:

no messy system or leftovers. some programs use directories all over the place and it gets annoying fast if you host many services. sometimes you will have some issue that requires you to do quite a bit of hunting and redoing things.

docker makes this painless. you can deploy and redeploy stuff easily and quickly, without a mess. updates are painless and quick too, with everything neatly self-contained.

much easier to maintain once you get the hang of things.

million, 1 year ago

Quick addition, I think for the messy argument the way I would articulate it for folks running servers is it helps you move from pets to cattle.

ssdfsdf3488sd, 1 year ago

Because if you use relative bind mounts you can move a whole docker compose set of contaibera to a new host with docker compose stop then rsync it over then docker compose up -d.

Portability and backup are dead simple.

shalva97, 1 year ago

Life is too short to install everything on baremetal.

purplemonkeymad, 1 year ago

For real, at the minimum use a virtual machine.

spookedbyroaches, 1 year ago

Use lxc/lxd to get all of the performance benefits of docker and all the freedom of a vm

peter, 1 year ago

Docker is a messy and not ideal but it was born out of a necessity, getting multiple services to coexist together outside of a container can be a nightmare, updating and moving configuration is a nightmare and removing things can leave stuff behind which gets messier and messier over time. Docker just standardises most of the configuration whilst requiring minimal effort from the developer

haui_lemmy, 1 year ago (edited 11 months ago)

Imo, yes.

• only run containers from trusted sources (btw. google, ms, apple have proven they cant be trusted either)
• run apps without dependency hell
• even if someone breaks in, they’re not in your system but in a container
• have everything web facing separate from the rest
• get per app resource statistics

Those are just what was in my head. Probably more to be said.

Gooey0210, 1 year ago

3. Even if someone breaks in, they are not a user, but root 🤝

haui_lemmy, 1 year ago

*in that container, not in the system

invertedspear, 1 year ago

Also the ability to snapshot an image, goof around with changes, and if you don’t like them restore the snapshot makes it much easier to experiment than trying to unwind all the changes you make.

haui_lemmy, 1 year ago

I havent actually tried that. Might need to check it out. :)

Gooey0210, 1 year ago (edited 10 months ago)

Check out Nixos, this is like the next step of docker

Ah, and a side note: docker is not fully open source

eluvatar, 1 year ago

About the trust issue. There’s no more or less trust than running on bare metal. Sure you could compile everything from source but you probably won’t, and you might trust your distro package manager, but that still has a similar problem.