• fin@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      4 months ago

      Why do you avoid docker? It’s cleaner than installing on your machine directly.

      • 2xsaiko
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        4 months ago

        Cleaner how? Systemd services can already provide basically all of the isolation features you could want if that’s what you’re talking about. It’s got namespaces, chroot+bind mounts, per-service dynamically allocated users, syscall filter, capability filter, and so on.

        Docker adds a lot of for most uses unnecessary complexity (a huge part of which being the networking). This also sometimes causes problems, for example it messes with netfilter tables which works fine most of the time but can actually do unwanted things like IIRC open ports you didn’t expect to be open because you didn’t open them in your firewall. There’s also how if you use prebuilt images (which you probably do) you’re at the mercy of everyone whose containers you’re using to provide security updates in time.

        Of course there’s cases where you actually want something like docker (multi-machine orchestration, spinning up multiple of the same container dynamically depending on load, running people’s arbitrary build environments like in GitHub Actions are a few examples) but a lot of times when people are pushing it it really seems like cargo cult mentality.