this post was submitted on 09 Jan 2025
1094 points (98.4% liked)
Programmer Humor
19935 readers
3307 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There are another important reason than most of the issues pointer out here that docker solves.
Security.
By using containerization Docker effectively creates another important barrier which is incredibly hard to escape, which is the OS (container)
If one server is running multiple Docker containers, a vulnerability in one system does not expose the others. This is a huge security improvement. Now the attacker needs to breach both the application and then break out of a container in order to directly access other parts of the host.
Also if the Docker images are big then the dev needs to select another image. You can easily have around 100MB containers now. With the "distroless" containers it is maybe down to like 30 MB if I recall correctly. Far from 1GB.
Reproducability is also huge efficiency booster. "Here run these this command and it will work perfecty on your machine" And it actually does.
It also reliably allows the opportunity to have self-healing servers, which means businesses can actually not have people available 24/7.
The use of containerization is maybe one of the greatest marvels in software dev in recent (10+) years.
https://www.explainxkcd.com/wiki/index.php/2044:_Sandboxing_Cycle
Oof. I'm anxious that folks are going to get the wrong idea here.
While OCI does provide security benefits, it is not a part of a healthly security architecture.
If you see containers advertised on a security architecture diagram, be alarmed.
If a malicious user gets terminal access inside a container, it is nice that there's a decent chance that they won't get further.
But OCI was not designed to prevent malicious actors from escaping containers.
It is not safe to assume that a malicious actor inside a container will be unable to break out.
Don't get me wrong, your point stands: Security loves it when we use containers.
I just wish folks would stop treating containers as "load bearing" in their security plans.
This
I've tried making this argument before and people never seem to agree. I think Google claims their Kubernetes is actually more secure than traditional VMs, but how true that really is I have no idea. Unfortunately though there are already things we depend upon for security that are probably less secure than most container platforms, like ordinary unix permissions or technologies like AppArmour and SELinux.
Yes, yes you really should
I said this a year and a half ago and I still haven't, awful decision, I now own servers too so I should really learn them
The worse part is having the gear and STILL not learning/playing with it.
I got stuff to start [email protected] like an old i5 minipc and even a 64gb i7 pro series laptop...
Theyre just sitting unplugged with mint on them.
You would be using them if you installed arch
/s
Well, mucking about with configuration on a computer is a form of entertainment hence its "use" in a broader sense...
What a waste of potential compute at least have it mining crypto in the background.
Isn't Crypto unprofitable in countries with high energy cost?
Depends on the hash algorithm iirc.
There's a udemy course by Maximilian that is only $20 that helped me immensely. Highly recommend.
Isn't Docker massively insecure when compared to the likes of Podman, since Docker has to run as a root daemon?
I don't have in-depth knowledge of the differences and how big that is. So take the following with a grain of salt.
My main point is that using containerization is a huge security improvement. Podman seems to be even more secure. Calling Docker massively insecure makes it seem like something we should avoid, which takes focus away from the enormous security benefit containerization gives. I believe Docker is fine, but I do use Podman myself, but that is only because Podman desktop is free, and Docker files seem to run fine with Podman.
Edit: After reading a bit I am more convinced that the Podman way of handling it is superior, and that the improvement is big enough to recommend it over Docker in most cases.
ofc containerisation is still better than running it natively in terms of security (which is why I said "compared to Podman"), but that's kind of mostly a side effect of it's main thing: reproducible runtime environments. It's not rly good security tho afaik and shouldn't be relied upon in that regard at all, but I don't know too much about it
I prefer Podman. But Docker can run rootless. It does run under root by default, though.
afaik it's still using a daemon, compared to Podman being daemonless, right? ofc it's better to run it in userspace, tho I can't recall if it limited some of the features or not and whether it was easy to set up
Not only that but containers in general run on the host system's kernel, the actual isolation of the containers is pretty minimal compared to virtual machines for example.
It amused me that the votes on your comment (a simple factual statement) reflect how many people here vote without knowing what the fuck they're talking about.
I think many of the people don't understand the difference between containers vs VMs
… With the tradeoff being containers much more lightweight and having much less overhead than VMs…
What exactly do you think the vm is running on if not the system kernel with potentially more layers.
Virtual machines do not use host kernel, they run full OS with kernel, cock and balls on virtualized hardware on top of the host OS.
Containers are using the host kernel and hardware without any layer of virtualization
Sounds like an ugly retrofit of bsd jail
Containerized software is huge in the sciences for reproducible research. Or at least it will/should be (speaking as someone adjacent to bioinformatics and genomics)
You don't have to ship a second OS just to containerize your app.
Always someone who needs to explain and ruin the joke..
Not everyone is experienced in the space. I appreciate the reader notes.
Based on many of the other comments, I don't think most people understood the joke.